Fixes Issue #6972: The zipfile module no longer overwrites files outside of its destination path when extracting malicious zip files.

commit: 608cc451c7798812826f886089f700330bde8e1c [log] [tgz]
author: Gregory P. Smith <greg@krypto.org> Fri Feb 01 11:40:18 2013 -0800
committer: Gregory P. Smith <greg@krypto.org> Fri Feb 01 11:40:18 2013 -0800
tree: 50d4c08e2d1980cda629f53b27d95cf5443c7909
parent: f39d52f8cb45d8cd2992508e5a7cb880cad6d619 [diff] [blame]
diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
index e975baa..df24bb7 100644
--- a/Doc/library/zipfile.rst
+++ b/Doc/library/zipfile.rst

@@ -242,6 +242,16 @@
 
    .. versionadded:: 2.6
 
+   .. note::
+
+      If a member filename is an absolute path, a drive/UNC sharepoint and
+      leading (back)slashes will be stripped, e.g.: ``///foo/bar`` becomes
+      ``foo/bar`` on Unix, and ``С:\foo\bar`` becomes ``foo\bar`` on Windows.
+      And all ``".."`` components in a member filename will be removed, e.g.:
+      ``../../foo../../ba..r`` becomes ``foo../ba..r``.  On Windows illegal
+      characters (``:``, ``<``, ``>``, ``|``, ``"``, ``?``, and ``*``)
+      replaced by underscore (``_``).
+
 
 .. method:: ZipFile.read(name[, pwd])
commit	608cc451c7798812826f886089f700330bde8e1c	[log] [tgz]
author	Gregory P. Smith <greg@krypto.org>	Fri Feb 01 11:40:18 2013 -0800
committer	Gregory P. Smith <greg@krypto.org>	Fri Feb 01 11:40:18 2013 -0800
tree	50d4c08e2d1980cda629f53b27d95cf5443c7909
parent	f39d52f8cb45d8cd2992508e5a7cb880cad6d619 [diff] [blame]