The Wayback Machine - https://web.archive.org/web/20230607151633/https://github.com/python/cpython/issues/99889
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Directory traversal in uu module / uu.decode #99889

Closed
hannob opened this issue Nov 30, 2022 · 0 comments · Fixed by #104096
Closed

Directory traversal in uu module / uu.decode #99889

hannob opened this issue Nov 30, 2022 · 0 comments · Fixed by #104096
Assignees
@gpshead
Labels
stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error type-security A security issue

Comments

@hannob
Copy link

hannob commented Nov 30, 2022
edited by bedevere-bot

Bug report

The function uu.decode is vulnerable to trivial directory traversal if no output filename is given. An uu-encoded file with a path starting with a repetition of ../../ or a / allows writing a file to an arbitrary location on the filesystem.

I reported this to security@python.org and was asked to report it publicly as the function is rarely used and removal is planned anyway for Python 3.13.

Your environment

CPython versions tested on: 3.10.8
Operating system and architecture: Linux

example files

Case 1:

begin 644 ../../../../../../../../tmp/test1
$86)C"@``
`
end

Case 2:

begin 644 /tmp/test2
$86)C"@``
`
end

Linked PRs
@hannob hannob added the type-bug An unexpected behavior, bug, or error label Nov 30, 2022
@sobolevn sobolevn added the type-security A security issue label Dec 2, 2022
samcarroll42 added a commit to samcarroll42/cpython that referenced this issue May 2, 2023
@samcarroll42
pythongh-99889: Fix directory traversal security flaw in uu.decode()
087561f
@bedevere-bot bedevere-bot mentioned this issue May 2, 2023
Merged
@arhadthedev arhadthedev added the stdlib Python modules in the Lib dir label May 2, 2023
@gpshead gpshead self-assigned this May 9, 2023
gpshead pushed a commit that referenced this issue May 9, 2023
@samcarroll42
gh-99889: Fix directory traversal security flaw in uu.decode() (#104096)
0aeda29 
* Fix directory traversal security flaw in uu.decode()
* also check absolute paths and os.altsep
* Add a regression test.

---------

Co-authored-by: Gregory P. Smith <greg@krypto.org> [Google]
@bedevere-bot bedevere-bot mentioned this issue May 9, 2023
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 9, 2023
@samcarroll42 @miss-islington
pythongh-99889: Fix directory traversal security flaw in uu.decode() (p…
15d98b4 
…ythonGH-104096)

* Fix directory traversal security flaw in uu.decode()
* also check absolute paths and os.altsep
* Add a regression test.

---------

(cherry picked from commit 0aeda29)

Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org> [Google]
This was referenced May 9, 2023
Merged
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 9, 2023
@samcarroll42 @miss-islington
pythongh-99889: Fix directory traversal security flaw in uu.decode() (p…
f0b29a6 
…ythonGH-104096)

* Fix directory traversal security flaw in uu.decode()
* also check absolute paths and os.altsep
* Add a regression test.

---------

(cherry picked from commit 0aeda29)

Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org> [Google]
@bedevere-bot bedevere-bot mentioned this issue May 9, 2023
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 9, 2023
@samcarroll42 @miss-islington
pythongh-99889: Fix directory traversal security flaw in uu.decode() (p…
4cd4709 
…ythonGH-104096)

* Fix directory traversal security flaw in uu.decode()
* also check absolute paths and os.altsep
* Add a regression test.

---------

(cherry picked from commit 0aeda29)

Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org> [Google]
@bedevere-bot bedevere-bot mentioned this issue May 9, 2023
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 9, 2023
@samcarroll42 @miss-islington
pythongh-99889: Fix directory traversal security flaw in uu.decode() (p…
bbc1bbd 
…ythonGH-104096)

* Fix directory traversal security flaw in uu.decode()
* also check absolute paths and os.altsep
* Add a regression test.

---------

(cherry picked from commit 0aeda29)

Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org> [Google]
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 9, 2023
@samcarroll42 @miss-islington
pythongh-99889: Fix directory traversal security flaw in uu.decode() (p…
8bb903e 
…ythonGH-104096)

* Fix directory traversal security flaw in uu.decode()
* also check absolute paths and os.altsep
* Add a regression test.

---------

(cherry picked from commit 0aeda29)

Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org> [Google]
gpshead pushed a commit that referenced this issue May 9, 2023
@miss-islington @samcarroll42
[3.11] gh-99889: Fix directory traversal security flaw in uu.decode() (
4ed59b1 
…GH-104096) (#104329)

gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096)

* Fix directory traversal security flaw in uu.decode()
* also check absolute paths and os.altsep
* Add a regression test.

---------

(cherry picked from commit 0aeda29)


 [Google]

Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com>
gpshead pushed a commit that referenced this issue May 9, 2023
@miss-islington @samcarroll42
[3.10] gh-99889: Fix directory traversal security flaw in uu.decode() (
cfa4295 
…GH-104096) (#104330)

gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096)

* Fix directory traversal security flaw in uu.decode()
* also check absolute paths and os.altsep
* Add a regression test.

---------

(cherry picked from commit 0aeda29)


 [Google]

Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com>
carljm added a commit to carljm/cpython that referenced this issue May 9, 2023
@carljm
Merge branch 'main' into fixsendfamily
e40071d 
* main:
  pythongh-97696 Add documentation for get_coro() behavior with eager tasks (python#104304)
  pythongh-97933: (PEP 709) inline list/dict/set comprehensions (python#101441)
  pythongh-99889: Fix directory traversal security flaw in uu.decode() (python#104096)
  pythongh-104184: fix building --with-pydebug --enable-pystats (python#104217)
  pythongh-104139: Add itms-services to uses_netloc urllib.parse. (python#104312)
  pythongh-104240: return code unit metadata from codegen (python#104300)
carljm added a commit to carljm/cpython that referenced this issue May 9, 2023
@carljm
Merge branch 'main' into supermon
c48eee3 
* main: (156 commits)
  pythongh-97696 Add documentation for get_coro() behavior with eager tasks (python#104304)
  pythongh-97933: (PEP 709) inline list/dict/set comprehensions (python#101441)
  pythongh-99889: Fix directory traversal security flaw in uu.decode() (python#104096)
  pythongh-104184: fix building --with-pydebug --enable-pystats (python#104217)
  pythongh-104139: Add itms-services to uses_netloc urllib.parse. (python#104312)
  pythongh-104240: return code unit metadata from codegen (python#104300)
  pythongh-104276: Make `_struct.unpack_iterator` type use type flag instead of custom constructor (python#104277)
  pythongh-97696: Move around and update the whatsnew entry for asyncio eager task factory (python#104298)
  pythongh-103193: Fix refleaks in `test_inspect` and `test_typing` (python#104320)
  require-pr-label.yml: Add missing "permissions:" (python#104309)
  pythongh-90656: Add platform triplets for 64-bit LoongArch (LA64) (python#30939)
  pythongh-104180: Read SOCKS proxies from macOS System Configuration (python#104181)
  pythongh-97696 Remove unnecessary check for eager_start kwarg (python#104188)
  pythonGH-104308: socket.getnameinfo should release the GIL (python#104307)
  pythongh-104310: Add importlib.util.allowing_all_extensions() (pythongh-104311)
  pythongh-99113: A Per-Interpreter GIL! (pythongh-104210)
  pythonGH-104284: Fix documentation gettext build (python#104296)
  pythongh-89550: Buffer GzipFile.write to reduce execution time by ~15% (python#101251)
  pythongh-104223: Fix issues with inheriting from buffer classes (python#104227)
  pythongh-99108: fix typo in Modules/Setup (python#104293)
  ...
carljm added a commit to carljm/cpython that referenced this issue May 9, 2023
@carljm
Merge branch 'main' into fixloadsuperspec
cf11908 
* main: (35 commits)
  pythongh-97696 Add documentation for get_coro() behavior with eager tasks (python#104304)
  pythongh-97933: (PEP 709) inline list/dict/set comprehensions (python#101441)
  pythongh-99889: Fix directory traversal security flaw in uu.decode() (python#104096)
  pythongh-104184: fix building --with-pydebug --enable-pystats (python#104217)
  pythongh-104139: Add itms-services to uses_netloc urllib.parse. (python#104312)
  pythongh-104240: return code unit metadata from codegen (python#104300)
  pythongh-104276: Make `_struct.unpack_iterator` type use type flag instead of custom constructor (python#104277)
  pythongh-97696: Move around and update the whatsnew entry for asyncio eager task factory (python#104298)
  pythongh-103193: Fix refleaks in `test_inspect` and `test_typing` (python#104320)
  require-pr-label.yml: Add missing "permissions:" (python#104309)
  pythongh-90656: Add platform triplets for 64-bit LoongArch (LA64) (python#30939)
  pythongh-104180: Read SOCKS proxies from macOS System Configuration (python#104181)
  pythongh-97696 Remove unnecessary check for eager_start kwarg (python#104188)
  pythonGH-104308: socket.getnameinfo should release the GIL (python#104307)
  pythongh-104310: Add importlib.util.allowing_all_extensions() (pythongh-104311)
  pythongh-99113: A Per-Interpreter GIL! (pythongh-104210)
  pythonGH-104284: Fix documentation gettext build (python#104296)
  pythongh-89550: Buffer GzipFile.write to reduce execution time by ~15% (python#101251)
  pythongh-104223: Fix issues with inheriting from buffer classes (python#104227)
  pythongh-99108: fix typo in Modules/Setup (python#104293)
  ...
ambv pushed a commit that referenced this issue May 22, 2023
@miss-islington @samcarroll42
[3.8] gh-99889: Fix directory traversal security flaw in uu.decode() (G…
47ec96a 
…H-104096) (#104332)

(cherry picked from commit 0aeda29)

Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com>
ambv pushed a commit that referenced this issue May 22, 2023
@miss-islington @samcarroll42
[3.9] gh-99889: Fix directory traversal security flaw in uu.decode() (G…
3d5dd1e 
…H-104096) (#104331)

(cherry picked from commit 0aeda29)

Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com>
ned-deily pushed a commit that referenced this issue May 27, 2023
@miss-islington
[3.7] gh-99889: Fix directory traversal security flaw in uu.decode() (G…
1ce801b 
…H-104333)

(cherry picked from commit 0aeda29)
Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error type-security A security issue
4 participants
@gpshead @hannob @sobolevn @arhadthedev