From: Lars Gustäbel <lars@gustaebel.de>
Date: Thu, 30 Aug 2007 20:25:13 +0000 (+0000)
Subject: Warn about possible risks when extracting untrusted archives.
X-Git-Tag: v2.5.2c1~202
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b9ff6697487f3fb4e8123c0632565539b7987bbc;p=python

Warn about possible risks when extracting untrusted archives.
---

diff --git a/Doc/lib/libtarfile.tex b/Doc/lib/libtarfile.tex
index b33ac606ca..d173164248 100644
--- a/Doc/lib/libtarfile.tex
+++ b/Doc/lib/libtarfile.tex
@@ -207,6 +207,12 @@ tar archive several times. Each archive member is represented by a
     problems: A directory's modification time is reset each time a file is
     created in it. And, if a directory's permissions do not allow writing,
     extracting files to it will fail.
+    \begin{notice}[warning]
+    Never extract archives from untrusted sources without prior inspection.
+    It is possible that files are created outside of \var{path}, e.g. members
+    that have absolute filenames starting with \code{"/"} or filenames with
+    two dots \code{".."}.
+    \end{notice}
     \versionadded{2.5}
 \end{methoddesc}
 
@@ -221,6 +227,10 @@ tar archive several times. Each archive member is represented by a
     archive there are some issues you must take care of yourself. See the
     description for \method{extractall()} above.
     \end{notice}
+
+    \begin{notice}[warning]
+    See the warning for \method{extractall()}.
+    \end{notice}
 \end{methoddesc}
 
 \begin{methoddesc}{extractfile}{member}