git.ipfire.org Git - thirdparty/Python/cpython.git/commit

]> git.ipfire.org Git - thirdparty/Python/cpython.git/commit

projects / thirdparty / Python / cpython.git / commit

author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Mon, 27 Apr 2026 19:54:45 +0000 (21:54 +0200)
committer	GitHub <noreply@github.com>
	Mon, 27 Apr 2026 19:54:45 +0000 (22:54 +0300)
commit	ab5ef98af693bded74a738570e81ea70abef2840
tree	c23e7f44284e8bbb07e2af36ec69b925b5eddb1d	tree \| snapshot
parent	a724c9f6fb1687aa47af60aa28ab812a334b2638	commit \| diff

[3.13] gh-146581: Fix vulnerability in shutil.unpack_archive() for ZIP files on Windows (GH-146591) (GH-149065)

Use ZipFile.extractall() to sanitize file names and extract files.

Files with invalid names (e.g. absolute paths) are now skipped.

Files containing ".." in the name are no longer skipped.
(cherry picked from commit fc829e88753858c8ac669594bf0093f44948c0f4)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

Lib/shutil.py		diff \| blob \| blame \| history
Lib/test/test_shutil.py		diff \| blob \| blame \| history
Lib/zipfile/__init__.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Security/2026-03-29-12-51-33.gh-issue-146581.4vZfB0.rst	[new file with mode: 0644]	blob

Mirror of https://github.com/python/cpython.git

RSS Atom