Skip to content

[3.11] gh-146581: Fix vulnerability in shutil.unpack_archive() for ZIP files on Windows (GH-146591)#149071

Open
serhiy-storchaka wants to merge 1 commit intopython:3.11from
serhiy-storchaka:backport-fc829e8-3.11
Open

[3.11] gh-146581: Fix vulnerability in shutil.unpack_archive() for ZIP files on Windows (GH-146591)#149071
serhiy-storchaka wants to merge 1 commit intopython:3.11from
serhiy-storchaka:backport-fc829e8-3.11

Conversation

@serhiy-storchaka
Copy link
Copy Markdown
Member

@serhiy-storchaka serhiy-storchaka commented Apr 27, 2026
edited by bedevere-app Bot
Loading

Use ZipFile.extractall() to sanitize file names and extract files.

Files with invalid names (e.g. absolute paths) are now skipped.

Files containing ".." in the name are no longer skipped.

(cherry picked from commit fc829e8)

@serhiy-storchaka
pythongh-146581: Fix vulnerability in shutil.unpack_archive() for ZIP…
cca6d2d 
… files on Windows (pythonGH-146591)

Use ZipFile.extractall() to sanitize file names and extract files.

Files with invalid names (e.g. absolute paths) are now skipped.

Files containing ".." in the name are no longer skipped.

(cherry picked from commit fc829e8)
@serhiy-storchaka serhiy-storchaka added the needs backport to 3.10 only security fixes label Apr 27, 2026
@bedevere-app bedevere-app Bot added the type-security A security issue label Apr 27, 2026
@bedevere-app bedevere-app Bot mentioned this pull request Apr 27, 2026
Merged
@bedevere-app bedevere-app Bot mentioned this pull request Apr 27, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

awaiting core review needs backport to 3.10 only security fixes type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@serhiy-storchaka