Skip to content

[3.12] gh-146581: Fix vulnerability in shutil.unpack_archive() for ZIP files on Windows (GH-146591)#149066

Open
miss-islington wants to merge 1 commit intopython:3.12from
miss-islington:backport-fc829e8-3.12
Open

[3.12] gh-146581: Fix vulnerability in shutil.unpack_archive() for ZIP files on Windows (GH-146591)#149066
miss-islington wants to merge 1 commit intopython:3.12from
miss-islington:backport-fc829e8-3.12

Conversation

@miss-islington
Copy link
Copy Markdown
Contributor

@miss-islington miss-islington commented Apr 27, 2026
edited by bedevere-app Bot
Loading

Use ZipFile.extractall() to sanitize file names and extract files.

Files with invalid names (e.g. absolute paths) are now skipped.

Files containing ".." in the name are no longer skipped.
(cherry picked from commit fc829e8)

Co-authored-by: Serhiy Storchaka storchaka@gmail.com

@serhiy-storchaka @miss-islington
pythongh-146581: Fix vulnerability in shutil.unpack_archive() for ZIP…
52a4f9a 
… files on Windows (pythonGH-146591)

Use ZipFile.extractall() to sanitize file names and extract files.

Files with invalid names (e.g. absolute paths) are now skipped.

Files containing ".." in the name are no longer skipped.
(cherry picked from commit fc829e8)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@bedevere-app bedevere-app Bot added the type-security A security issue label Apr 27, 2026
@bedevere-app bedevere-app Bot mentioned this pull request Apr 27, 2026
Merged
@bedevere-app bedevere-app Bot mentioned this pull request Apr 27, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

awaiting review type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@miss-islington @serhiy-storchaka