git.ipfire.org Git - thirdparty/Python/cpython.git/commit

]> git.ipfire.org Git - thirdparty/Python/cpython.git/commit

projects / thirdparty / Python / cpython.git / commit

author	Serhiy Storchaka <storchaka@gmail.com>
	Mon, 27 Apr 2026 18:43:15 +0000 (21:43 +0300)
committer	GitHub <noreply@github.com>
	Mon, 27 Apr 2026 18:43:15 +0000 (21:43 +0300)
commit	fc829e88753858c8ac669594bf0093f44948c0f4
tree	0d5da01d9934c15c9765bde4adbb551203acdd0d	tree \| snapshot
parent	3e5a3cb2bd222f97f793b01bc1c0f7bb62aefc31	commit \| diff

gh-146581: Fix vulnerability in shutil.unpack_archive() for ZIP files on Windows (GH-146591)

Use ZipFile.extractall() to sanitize file names and extract files.

Files with invalid names (e.g. absolute paths) are now skipped.

Files containing ".." in the name are no longer skipped.

Lib/shutil.py		diff \| blob \| blame \| history
Lib/test/test_shutil.py		diff \| blob \| blame \| history
Lib/zipfile/__init__.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Security/2026-03-29-12-51-33.gh-issue-146581.4vZfB0.rst	[new file with mode: 0644]	blob

Mirror of https://github.com/python/cpython.git

RSS Atom