Document caveats of zipfile.Path around name sanitization
#123726
Comments
|
@abj101 expressed interest in working on a documentation issue relating to #123270. Please take some time to understand the concern and consider how you might want to approach communicating the concern to the reader. Feel free to ask questions or describe a draft change in this issue, or create a PR. See the documentation section of the devguide for advice on how to contribute documentation changes. Thanks for offering to help. |
|
Hi, I would love to contribute and be a part of this! Could someone please assign this to me? |
|
Hi if this issue is unassigned, I'd like to take it up. |
|
Since Affan offered first, let's let them take the first stab at it. Swasti - perhaps you could review the proposal. If there's no proposal by March 15, feel free to take it on. Affan, please keep us apprised and let us know if you've stopped working on it or have questions. |
…ation Add a note to the `zipfile.Path` class documentation clarifying that it does not sanitize filenames. This emphasizes the caller's responsibility to validate or sanitize inputs, especially when handling untrusted ZIP archives, to prevent path traversal vulnerabilities. The note also references the `extract` and `extractall` methods for comparison and suggests using `os.path.abspath` and `os.path.commonpath` for safe filename resolution.
|
Hi @jaraco , I’ve created a pull request to address this issue by adding a note to the zipfile.Path documentation clarifying that it doesn’t sanitize filenames. This is my first contribution to CPython, so I’d really appreciate it if you could review the PR and let me know if I’ve missed anything or if there’s anything I need to improve. Thank you for your guidance! |
…130537) Add a note to the `zipfile.Path` class documentation clarifying that it does not sanitize filenames. This emphasizes the caller's responsibility to validate or sanitize inputs, especially when handling untrusted ZIP archives, to prevent path traversal vulnerabilities. The note also references the `extract` and `extractall` methods for comparison and suggests using `os.path.abspath` and `os.path.commonpath` for safe filename resolution.
…ation (pythonGH-130537) Add a note to the `zipfile.Path` class documentation clarifying that it does not sanitize filenames. This emphasizes the caller's responsibility to validate or sanitize inputs, especially when handling untrusted ZIP archives, to prevent path traversal vulnerabilities. The note also references the `extract` and `extractall` methods for comparison and suggests using `os.path.abspath` and `os.path.commonpath` for safe filename resolution. (cherry picked from commit a3990df) Co-authored-by: Affan Shaikhsurab <[email protected]>
…ation (pythonGH-130537) Add a note to the `zipfile.Path` class documentation clarifying that it does not sanitize filenames. This emphasizes the caller's responsibility to validate or sanitize inputs, especially when handling untrusted ZIP archives, to prevent path traversal vulnerabilities. The note also references the `extract` and `extractall` methods for comparison and suggests using `os.path.abspath` and `os.path.commonpath` for safe filename resolution. (cherry picked from commit a3990df) Co-authored-by: Affan Shaikhsurab <[email protected]>
…zation (GH-130537) (#130986) gh-123726: Document caveats of zipfile.Path around name sanitization (GH-130537) Add a note to the `zipfile.Path` class documentation clarifying that it does not sanitize filenames. This emphasizes the caller's responsibility to validate or sanitize inputs, especially when handling untrusted ZIP archives, to prevent path traversal vulnerabilities. The note also references the `extract` and `extractall` methods for comparison and suggests using `os.path.abspath` and `os.path.commonpath` for safe filename resolution. (cherry picked from commit a3990df) Co-authored-by: Affan Shaikhsurab <[email protected]>
…zation (GH-130537) (#130987) gh-123726: Document caveats of zipfile.Path around name sanitization (GH-130537) Add a note to the `zipfile.Path` class documentation clarifying that it does not sanitize filenames. This emphasizes the caller's responsibility to validate or sanitize inputs, especially when handling untrusted ZIP archives, to prevent path traversal vulnerabilities. The note also references the `extract` and `extractall` methods for comparison and suggests using `os.path.abspath` and `os.path.commonpath` for safe filename resolution. (cherry picked from commit a3990df) Co-authored-by: Affan Shaikhsurab <[email protected]>
pythongh-123726: Document caveats of zipfile.Path around name sanitization …
…ation (python#130537) Add a note to the `zipfile.Path` class documentation clarifying that it does not sanitize filenames. This emphasizes the caller's responsibility to validate or sanitize inputs, especially when handling untrusted ZIP archives, to prevent path traversal vulnerabilities. The note also references the `extract` and `extractall` methods for comparison and suggests using `os.path.abspath` and `os.path.commonpath` for safe filename resolution.
I think documenting the caveats would be good.
Originally posted by @obfusk in #123270 (comment)
Linked PRs
The text was updated successfully, but these errors were encountered: