Directory traversal in uu module / uu.decode
Navigation Menu
{{ message }}
- Notifications You must be signed in to change notification settings
- Fork 34.3k
Closed
Assignees
Description
opened
on Nov 30, 2022Bug report
The function uu.decode is vulnerable to trivial directory traversal if no output filename is given. An uu-encoded file with a path starting with a repetition of ../../ or a / allows writing a file to an arbitrary location on the filesystem.
I reported this to security@python.org and was asked to report it publicly as the function is rarely used and removal is planned anyway for Python 3.13.
Your environment
CPython versions tested on: 3.10.8
Operating system and architecture: Linux
example files
Case 1:
begin 644 ../../../../../../../../tmp/test1
$86)C"@``
`
end
Case 2:
begin 644 /tmp/test2
$86)C"@``
`
end
Linked PRs
- gh-99889: Fix directory traversal security flaw in uu.decode() #104096
- [3.11] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096) #104329
- [3.10] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096) #104330
- [3.9] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096) #104331
- [3.8] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096) #104332
- [3.7] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096) #104333
Metadata
Metadata
Assignees
Labels
Projects
No projects
Milestone
No milestone
Relationships
None yet
Development
No branches or pull requests
Issue actions