New submission from Zhigang Wang <w1z...@gmail.com>: We only support arcname with one leading '/', but not more. This patch fixes it.
We don't support arcname with '..' well. The default behavior of unzip and 7z is to ignore all '..'. This patch does the same. Also updated the doc. If there are other security related issues exist, we should revise the doc. Please review. ---------- components: Library (Lib) files: python-zipfile-fix-arcname.patch keywords: patch messages: 126254 nosy: zhigang priority: normal severity: normal status: open title: zipfile: fix arcname with leading '///' or '..' type: security versions: Python 3.3 Added file: http://bugs.python.org/file20404/python-zipfile-fix-arcname.patch _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue10905> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com