homepage

We only support arcname with one leading '/', but not more. This patch fixes it.
We don't support arcname with '..' well. The default behavior of unzip and 7z is to ignore all '..'. This patch does the same.
Also updated the doc. If there are other security related issues exist, we should revise the doc.
Please review.

What happens when the archive contains both 'foo' and '../foo'? They seem to be extracted at the same place.

$ unzip -l t.zip 
Archive: t.zip
 Length Date Time Name
--------- ---------- ----- ----
 3 01-14-2011 21:11 ../foo
 3 01-14-2011 21:11 foo
--------- -------
 6 2 files
[zhigang@localhost tmp]$ unzip -d aa t.zip
Archive: t.zip
warning: skipped "../" path component(s) in ../foo
 extracting: aa/foo 
replace aa/foo? [y]es, [n]o, [A]ll, [N]one, [r]ename: A
 extracting: aa/foo 
$ 7za x -oaa t.zip 
7-Zip (A) 9.13 beta Copyright (c) 1999-2010 Igor Pavlov 2010年04月15日
p7zip Version 9.13 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU)
Processing archive: t.zip
file aa/foo
already exists. Overwrite with 
../foo?
(Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? A
Extracting ../foo
Extracting foo
Everything is Ok
Files: 2
Size: 6
Compressed: 198

Yes, in zipfile, we just overwrite it. Actually, ZipFile.extract() overwrite existing files already. If we want it more powerful, we can add a 'overwrite' parameter. But turning zipfile a full featured zip/unzip tool needs much more extra work...

Some comments to patch.
+ arcname = os.path.sep.join([x for x in arcname.split(os.path.sep)
+ if x != '..'])
File names in zip archive should use '/' as separator, not os.path.sep. '../spam' will be not cleaned by this code.
+ while arcname[0] in (os.sep, os.altsep):
+ arcname = arcname[1:]
It will not save from filenames containing drive letter: 'C:/Windows/python.exe'.

I'm going to close this issue as a duplicate of issue6972. Issue6972 is older and has a larger discussion.
Thank you for patch and research, Zhigang Wang. I will use it for the new patch.