gh-146581: Update docs for dangerous filenames in ZIP files

[serhiy-storchaka]

• Issue: shutil.unpack_archive() on Windows writes outside extract_dir for ZIP entries with drive-prefixed names #146581

[read-the-docs-community]

Documentation build overview

📚 cpython-previews | 🛠️ Build #32743883 | 📁 Comparing cadce7a against main (bd6bf91)

  🔍 Preview build  

8 files changed · + 1 added · ± 7 modified

+ Added

• deprecations/pending-removal-in-3.21.html

± Modified

• deprecations/index.html
• library/os.html
• library/shutil.html
• library/ssl.html
• library/zipfile.html
• whatsnew/3.16.html
• whatsnew/changelog.html

[StanFromIreland]

LGTM, thanks Serhiy

[serhiy-storchaka]

This PR was inspired by @sepastian's PR #111824. I missed that the docs also need an update in the previous PR. filenames with two dots ".." is unclear -- it can be read as with the ".." component (like it should be) or as literally containing the ".." substring (like it was implemented in _unpack_zipfile). Also, filenames starting with "/" was not only absolute paths.

[StanFromIreland]

This PR was inspired by @sepastian's PR #111824.

In that case, I would suggest adding him to the Co-Authored-By: Sebastian Gassner <sebastian.gassner@gmail.com>.

[merwok]

Yes, and/or Misc/ACKS

[miss-islington-app]

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14, 3.15.
🐍🍒⛏🤖

[bedevere-app]

GH-150064 is a backport of this pull request to the 3.15 branch.

[bedevere-app]

GH-150065 is a backport of this pull request to the 3.14 branch.

[bedevere-app]

GH-150066 is a backport of this pull request to the 3.13 branch.

[serhiy-storchaka]

This PR was inspired by @sepastian's PR #111824.

In that case, I would suggest adding him to the Co-Authored-By: Sebastian Gassner <sebastian.gassner@gmail.com>.

Good idea. Although I only took idea that some changes were needed here. The changes themselves were different, and applied more wide.