Skip to content

gh-146581: Update docs for dangerous filenames in ZIP files#149994

Open
serhiy-storchaka wants to merge 2 commits into
python:mainfrom
serhiy-storchaka:unzip-docs-bad-filenames
Open

gh-146581: Update docs for dangerous filenames in ZIP files#149994
serhiy-storchaka wants to merge 2 commits into
python:mainfrom
serhiy-storchaka:unzip-docs-bad-filenames

Conversation

@serhiy-storchaka
Copy link
Copy Markdown
Member

@serhiy-storchaka serhiy-storchaka commented May 18, 2026
edited by bedevere-app Bot
Loading

@serhiy-storchaka serhiy-storchaka added docs Documentation in the Doc dir skip news needs backport to 3.13 bugs and security fixes labels May 18, 2026
@serhiy-storchaka serhiy-storchaka added needs backport to 3.14 bugs and security fixes needs backport to 3.15 pre-release feature fixes, bugs and security fixes labels May 18, 2026
@github-project-automation github-project-automation Bot moved this to Todo in Docs PRs May 18, 2026
@bedevere-app bedevere-app Bot mentioned this pull request May 18, 2026
Open
@read-the-docs-community
Copy link
Copy Markdown

read-the-docs-community Bot commented May 18, 2026
edited
Loading

Documentation build overview

📚 cpython-previews | 🛠️ Build #32743883 | 📁 Comparing cadce7a against main (bd6bf91)

  🔍 Preview build  

8 files changed · + 1 added · ± 7 modified

+ Added

± Modified

StanFromIreland
StanFromIreland reviewed May 18, 2026
View reviewed changes
Comment thread Doc/library/shutil.rst Outdated
Comment thread Doc/library/zipfile.rst Outdated
Comment thread Doc/library/zipfile.rst Outdated
@serhiy-storchaka @StanFromIreland
Apply suggestions from code review
cadce7a 
Co-authored-by: Stan Ulbrych <stan@python.org>
StanFromIreland
StanFromIreland approved these changes May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@StanFromIreland StanFromIreland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks Serhiy

@serhiy-storchaka serhiy-storchaka mentioned this pull request May 18, 2026
Closed
@serhiy-storchaka
Copy link
Copy Markdown
Member Author

serhiy-storchaka commented May 18, 2026

This PR was inspired by @sepastian's PR #111824. I missed that the docs also need an update in the previous PR. filenames with two dots ".." is unclear -- it can be read as with the ".." component (like it should be) or as literally containing the ".." substring (like it was implemented in _unpack_zipfile). Also, filenames starting with "/" was not only absolute paths.

@StanFromIreland
Copy link
Copy Markdown
Member

StanFromIreland commented May 18, 2026

This PR was inspired by @sepastian's PR #111824.

In that case, I would suggest adding him to the Co-Authored-By: Sebastian Gassner <sebastian.gassner@gmail.com>.

@merwok
Copy link
Copy Markdown
Member

merwok commented May 19, 2026

Yes, and/or Misc/ACKS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@StanFromIreland StanFromIreland StanFromIreland approved these changes

@giampaolo giampaolo Awaiting requested review from giampaolo giampaolo is a code owner

Assignees

No one assigned

Labels

awaiting merge docs Documentation in the Doc dir needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes needs backport to 3.15 pre-release feature fixes, bugs and security fixes skip news

Projects

Docs PRs
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@serhiy-storchaka @StanFromIreland @merwok