Skip to content

Commit 0816c44

Browse files
rickpricerickprice
committed
CVE-2007-4559 Apply Fixes pythongh-102950 from community fixes
1 parent 9dcc3b1 commit 0816c44

File tree

9 files changed

+1809
-77
lines changed

9 files changed

+1809
-77
lines changed

Doc/library/shutil.rst

Lines changed: 27 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -539,7 +539,7 @@ provided. They rely on the :mod:`zipfile` and :mod:`tarfile` modules.
539539
Remove the archive format *name* from the list of supported formats.
540540

541541

542-
.. function:: unpack_archive(filename[, extract_dir[, format]])
542+
.. function:: unpack_archive(filename[, extract_dir[, format[, filter]]])
543543

544544
Unpack an archive. *filename* is the full path of the archive.
545545

@@ -553,9 +553,27 @@ provided. They rely on the :mod:`zipfile` and :mod:`tarfile` modules.
553553
registered for that extension. In case none is found,
554554
a :exc:`ValueError` is raised.
555555

556+
The keyword-only *filter* argument, which was added in Python 3.7.17,
557+
is passed to the underlying unpacking function.
558+
For zip files, *filter* is not accepted.
559+
For tar files, it is recommended to set it to ``'data'``,
560+
unless using features specific to tar and UNIX-like filesystems.
561+
(See :ref:`tarfile-extraction-filter` for details.)
562+
The ``'data'`` filter will become the default for tar files
563+
in Python 3.14.
564+
565+
.. warning::
566+
567+
Never extract archives from untrusted sources without prior inspection.
568+
It is possible that files are created outside of the path specified in
569+
the *extract_dir* argument, e.g. members that have absolute filenames
570+
starting with "/" or filenames with two dots "..".
571+
556572
.. versionchanged:: 3.7
557573
Accepts a :term:`path-like object` for *filename* and *extract_dir*.
558574

575+
.. versionchanged:: 3.7.17
576+
Added the *filter* argument.
559577

560578
.. function:: register_unpack_format(name, extensions, function[, extra_args[, description]])
561579

@@ -564,11 +582,14 @@ provided. They rely on the :mod:`zipfile` and :mod:`tarfile` modules.
564582
``.zip`` for Zip files.
565583

566584
*function* is the callable that will be used to unpack archives. The
567-
callable will receive the path of the archive, followed by the directory
568-
the archive must be extracted to.
569-
570-
When provided, *extra_args* is a sequence of ``(name, value)`` tuples that
571-
will be passed as keywords arguments to the callable.
585+
callable will receive:
586+
587+
- the path of the archive, as a positional argument;
588+
- the directory the archive must be extracted to, as a positional argument;
589+
- possibly a *filter* keyword argument, if it was given to
590+
:func:`unpack_archive`;
591+
- additional keyword arguments, specified by *extra_args* as a sequence
592+
of ``(name, value)`` tuples.
572593

573594
*description* can be provided to describe the format, and will be returned
574595
by the :func:`get_unpack_formats` function.

0 commit comments

Comments
 (0)