bpo-38945: UU Encoding: Don't let newline in filename corrupt the output format (#17418)

author: Matthew Rollings <1211162+stealthcopter@users.noreply.github.com> 2019-12-02 22:25:21 (GMT)
committer: Guido van Rossum <guido@python.org> 2019-12-02 22:25:21 (GMT)
commit: a62ad4730c9b575f140f24074656c0257c86a09a (patch)
tree: 2fe5664ba3d3bf745bda95c2539e4c25e3535380
parent: 016b0280b8a97bc26e97c6a8dd5fb8fad5fe72e4 (diff)
download: cpython-a62ad4730c9b575f140f24074656c0257c86a09a.zip
cpython-a62ad4730c9b575f140f24074656c0257c86a09a.tar.gz
cpython-a62ad4730c9b575f140f24074656c0257c86a09a.tar.bz2
4 files changed, 21 insertions, 0 deletions
diff --git a/Lib/encodings/uu_codec.py b/Lib/encodings/uu_codec.py
index 2a5728f..4e58c62 100644
--- a/Lib/encodings/uu_codec.py
+++ b/Lib/encodings/uu_codec.py
@@ -20,6 +20,10 @@ def uu_encode(input, errors='strict', filename='<data>', mode=0o666):
     read = infile.read
     write = outfile.write
 
+    # Remove newline chars from filename
+    filename = filename.replace('\n','\\n')
+    filename = filename.replace('\r','\\r')
+
     # Encode
     write(('begin %o %s\n' % (mode & 0o777, filename)).encode('ascii'))
     chunk = read(45)
diff --git a/Lib/test/test_uu.py b/Lib/test/test_uu.py
index c9f05e5..c8709f7 100644
--- a/Lib/test/test_uu.py
+++ b/Lib/test/test_uu.py
@@ -136,6 +136,15 @@ class UUTest(unittest.TestCase):
                 decoded = codecs.decode(encodedtext, "uu_codec")
                 self.assertEqual(decoded, plaintext)
 
+    def test_newlines_escaped(self):
+        # Test newlines are escaped with uu.encode
+        inp = io.BytesIO(plaintext)
+        out = io.BytesIO()
+        filename = "test.txt\n\roverflow.txt"
+        safefilename = b"test.txt\\n\\roverflow.txt"
+        uu.encode(inp, out, filename)
+        self.assertIn(safefilename, out.getvalue())
+
 class UUStdIOTest(unittest.TestCase):
 
     def setUp(self):
diff --git a/Lib/uu.py b/Lib/uu.py
index 9b1e5e6..9f1f37f 100755
--- a/Lib/uu.py
+++ b/Lib/uu.py
@@ -73,6 +73,13 @@ def encode(in_file, out_file, name=None, mode=None, *, backtick=False):
             name = '-'
         if mode is None:
             mode = 0o666
+
+        #
+        # Remove newline chars from name
+        #
+        name = name.replace('\n','\\n')
+        name = name.replace('\r','\\r')
+
         #
         # Write the data
         #
diff --git a/Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst b/Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst
new file mode 100644
index 0000000..1bf6ed5
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst
@@ -0,0 +1 @@
+Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process.
+\ No newline at end of file
author	Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>	2019-12-02 22:25:21 (GMT)
committer	Guido van Rossum <guido@python.org>	2019-12-02 22:25:21 (GMT)
commit	a62ad4730c9b575f140f24074656c0257c86a09a (patch)
tree	2fe5664ba3d3bf745bda95c2539e4c25e3535380
parent	016b0280b8a97bc26e97c6a8dd5fb8fad5fe72e4 (diff)
download	cpython-a62ad4730c9b575f140f24074656c0257c86a09a.zip cpython-a62ad4730c9b575f140f24074656c0257c86a09a.tar.gz cpython-a62ad4730c9b575f140f24074656c0257c86a09a.tar.bz2