python · swenson · Oct 23, 2021 · Oct 25, 2021
diff --git a/Doc/library/shutil.rst b/Doc/library/shutil.rst
@@ -657,6 +657,13 @@ provided.  They rely on the :mod:`zipfile` and :mod:`tarfile` modules.
    registered for that extension.  In case none is found,
    a :exc:`ValueError` is raised.
 
+   .. warning::
+
+      Never extract archives from untrusted sources without prior inspection.
+      It is possible that files are created outside of *path*, e.g. members
+      that have absolute filenames starting with ``"/"`` or filenames with two
+      dots ``".."``.
+
    .. audit-event:: shutil.unpack_archive filename,extract_dir,format shutil.unpack_archive
 
    .. versionchanged:: 3.7

diff --git a/Misc/ACKS b/Misc/ACKS
@@ -1727,6 +1727,7 @@ Andrew Svetlov
 Paul Swartz
 Dennis Sweeney
 Al Sweigart
+Christopher Swenson
 Sviatoslav Sydorenko
 Thenault Sylvain
 Péter Szabó

diff --git a/Misc/NEWS.d/next/Security/2021-10-22-19-07-53.bpo-20749.hi0GfC.rst b/Misc/NEWS.d/next/Security/2021-10-22-19-07-53.bpo-20749.hi0GfC.rst
@@ -0,0 +1,2 @@
+Copied security warning from :func:`tarfile.extractall()` to
+:func:`shutil.unpack_archive()`.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Copied security warning from :func:`tarfile.extractall()` to
		:func:`shutil.unpack_archive()`.