From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Date: Tue, 19 May 2026 08:44:21 +0000 (+0200)
Subject: [3.13] gh-146581: Update docs for dangerous filenames in ZIP files (GH-149994) (GH... 
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8ee6aff14054b37b53e47194a2fa313e98163c94;p=thirdparty%2FPython%2Fcpython.git

[3.13] gh-146581: Update docs for dangerous filenames in ZIP files (GH-149994) (GH-150066)

(cherry picked from commit ba0aca3bffce431fe2fbd53ca4cd6a717a2e2c19)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Co-authored-by: Sebastian Gassner <sebastian.gassner@gmail.com>
---

diff --git a/Doc/library/shutil.rst b/Doc/library/shutil.rst
index 4e4d7927da77..396e699384d7 100644
--- a/Doc/library/shutil.rst
+++ b/Doc/library/shutil.rst
@@ -728,8 +728,8 @@ provided.  They rely on the :mod:`zipfile` and :mod:`tarfile` modules.
 
       Never extract archives from untrusted sources without prior inspection.
       It is possible that files are created outside of the path specified in
-      the *extract_dir* argument, e.g. members that have absolute filenames
-      starting with "/" or filenames with two dots "..".
+      the *extract_dir* argument, for example, members that have absolute filenames
+      or filenames with ".." components.
 
    .. versionchanged:: 3.7
       Accepts a :term:`path-like object` for *filename* and *extract_dir*.
diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
index 32081d66fe3a..7e0eae9d6811 100644
--- a/Doc/library/zipfile.rst
+++ b/Doc/library/zipfile.rst
@@ -374,9 +374,9 @@ ZipFile objects
    .. warning::
 
       Never extract archives from untrusted sources without prior inspection.
-      It is possible that files are created outside of *path*, e.g. members
-      that have absolute filenames starting with ``"/"`` or filenames with two
-      dots ``".."``.  This module attempts to prevent that.
+      It is possible that files are created outside of *path*, for example, members
+      that have absolute filenames or filenames with ".." components.
+      This module attempts to prevent that.
       See :meth:`extract` note.
 
    .. versionchanged:: 3.6
@@ -547,7 +547,7 @@ Path objects
       The :class:`Path` class does not sanitize filenames within the ZIP archive. Unlike
       the :meth:`ZipFile.extract` and :meth:`ZipFile.extractall` methods, it is the
       caller's responsibility to validate or sanitize filenames to prevent path traversal
-      vulnerabilities (e.g., filenames containing ".." or absolute paths). When handling
+      vulnerabilities (for example, absolute paths or paths with ".." components). When handling
       untrusted archives, consider resolving filenames using :func:`os.path.abspath`
       and checking against the target directory with :func:`os.path.commonpath`.