diff options
| author | Sam Carroll <70000253+samcarroll42@users.noreply.github.com> | 2023-05-09 16:01:58 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-05-09 16:01:58 (GMT) |
| commit | 0aeda297931820436a50b78f4f7f0597274b5df4 (patch) | |
| tree | e6e76aaf7522cb14fd43aaea46b323c71d36c4aa /Lib/uu.py | |
| parent | afe7703744f813adb15719642444b5fd35888d86 (diff) | |
| download | cpython-0aeda297931820436a50b78f4f7f0597274b5df4.zip cpython-0aeda297931820436a50b78f4f7f0597274b5df4.tar.gz cpython-0aeda297931820436a50b78f4f7f0597274b5df4.tar.bz2 | |
gh-99889: Fix directory traversal security flaw in uu.decode() (#104096)
* Fix directory traversal security flaw in uu.decode()
* also check absolute paths and os.altsep
* Add a regression test.
---------
Co-authored-by: Gregory P. Smith <greg@krypto.org> [Google]
Diffstat (limited to 'Lib/uu.py')
| -rw-r--r--[-rwxr-xr-x] | Lib/uu.py | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/Lib/uu.py b/Lib/uu.py index 6f8805d..26bb59a 100755..100644 --- a/Lib/uu.py +++ b/Lib/uu.py @@ -133,7 +133,14 @@ def decode(in_file, out_file=None, mode=None, quiet=False): # If the filename isn't ASCII, what's up with that?!? out_file = hdrfields[2].rstrip(b' \t\r\n\f').decode("ascii") if os.path.exists(out_file): - raise Error('Cannot overwrite existing file: %s' % out_file) + raise Error(f'Cannot overwrite existing file: {out_file}') + if (out_file.startswith(os.sep) or + f'..{os.sep}' in out_file or ( + os.altsep and + (out_file.startswith(os.altsep) or + f'..{os.altsep}' in out_file)) + ): + raise Error(f'Refusing to write to {out_file} due to directory traversal') if mode is None: mode = int(hdrfields[1], 8) # |