gh-99889: Fix directory traversal security flaw in uu.decode() (#104096)

* Fix directory traversal security flaw in uu.decode() * also check absolute paths and os.altsep * Add a regression test. --------- Co-authored-by: Gregory P. Smith <greg@krypto.org> [Google]
author: Sam Carroll <70000253+samcarroll42@users.noreply.github.com> 2023-05-09 16:01:58 (GMT)
committer: GitHub <noreply@github.com> 2023-05-09 16:01:58 (GMT)
commit: 0aeda297931820436a50b78f4f7f0597274b5df4 (patch)
tree: e6e76aaf7522cb14fd43aaea46b323c71d36c4aa /Misc/NEWS.d/next/Security
parent: afe7703744f813adb15719642444b5fd35888d86 (diff)
download: cpython-0aeda297931820436a50b78f4f7f0597274b5df4.zip
cpython-0aeda297931820436a50b78f4f7f0597274b5df4.tar.gz
cpython-0aeda297931820436a50b78f4f7f0597274b5df4.tar.bz2
1 files changed, 2 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Security/2023-05-02-17-56-32.gh-issue-99889.l664SU.rst b/Misc/NEWS.d/next/Security/2023-05-02-17-56-32.gh-issue-99889.l664SU.rst
new file mode 100644
index 0000000..b7002e8
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2023-05-02-17-56-32.gh-issue-99889.l664SU.rst
@@ -0,0 +1,2 @@
+Fixed a security in flaw in :func:`uu.decode` that could allow for
+directory traversal based on the input if no ``out_file`` was specified.
author	Sam Carroll <70000253+samcarroll42@users.noreply.github.com>	2023-05-09 16:01:58 (GMT)
committer	GitHub <noreply@github.com>	2023-05-09 16:01:58 (GMT)
commit	0aeda297931820436a50b78f4f7f0597274b5df4 (patch)
tree	e6e76aaf7522cb14fd43aaea46b323c71d36c4aa /Misc/NEWS.d/next/Security
parent	afe7703744f813adb15719642444b5fd35888d86 (diff)
download	cpython-0aeda297931820436a50b78f4f7f0597274b5df4.zip cpython-0aeda297931820436a50b78f4f7f0597274b5df4.tar.gz cpython-0aeda297931820436a50b78f4f7f0597274b5df4.tar.bz2