Warn about possible risks when extracting untrusted archives.

2007-08-30 20:24:31 +00:00 · 2007-08-30 20:24:31 +00:00 · 89241a3889
parent eba40650b5
commit 89241a3889
1 changed files with 11 additions and 0 deletions
--- a/Doc/library/tarfile.rst
+++ b/Doc/library/tarfile.rst
@ -337,6 +337,13 @@ object, see :ref:`tarinfo-objects` for details.
   reset each time a file is created in it. And, if a directory's permissions do
   not allow writing, extracting files to it will fail.

+   .. warning::
+
+      Never extract archives from untrusted sources without prior inspection.
+      It is possible that files are created outside of *path*, e.g. members
+      that have absolute filenames starting with ``"/"`` or filenames with two
+      dots ``".."``.
+
   .. versionadded:: 2.5


@ -353,6 +360,10 @@ object, see :ref:`tarinfo-objects` for details.
      are some issues you must take care of yourself. See the description for
      :meth:`extractall` above.

+   .. warning::
+
+      See the warning for :meth:`extractall`.
+

 .. method:: TarFile.extractfile(member)