git.ipfire.org Git - thirdparty/Python/cpython.git/commit

]> git.ipfire.org Git - thirdparty/Python/cpython.git/commit

projects / thirdparty / Python / cpython.git / commit

author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Mon, 27 Apr 2026 19:55:02 +0000 (21:55 +0200)
committer	GitHub <noreply@github.com>
	Mon, 27 Apr 2026 19:55:02 +0000 (22:55 +0300)
commit	b01e594fbe754a960212f908d047294e880b52fd
tree	5248aaa52687511c0366a03f486ed95087ae029c	tree \| snapshot
parent	0cd81235351a2c4165860c8f1409e7ca4e5a1653	commit \| diff

[3.14] gh-146581: Fix vulnerability in shutil.unpack_archive() for ZIP files on Windows (GH-146591) (GH-149064)

Use ZipFile.extractall() to sanitize file names and extract files.

Files with invalid names (e.g. absolute paths) are now skipped.

Files containing ".." in the name are no longer skipped.
(cherry picked from commit fc829e88753858c8ac669594bf0093f44948c0f4)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>

Lib/shutil.py		diff \| blob \| blame \| history
Lib/test/test_shutil.py		diff \| blob \| blame \| history
Lib/zipfile/__init__.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Security/2026-03-29-12-51-33.gh-issue-146581.4vZfB0.rst	[new file with mode: 0644]	blob

Mirror of https://github.com/python/cpython.git

RSS Atom