gh-99889: Fix directory traversal security flaw in uu.decode() (#104096)

* Fix directory traversal security flaw in uu.decode() * also check absolute paths and os.altsep * Add a regression test. --------- Co-authored-by: Gregory P. Smith <greg@krypto.org> [Google]
2025-08-09 19:38:42 +00:00 · 2023-05-09 12:01:58 -04:00 · 2023-05-09 12:01:58 -04:00 · 0aeda29793
commit 0aeda29793
parent afe7703744
3 changed files with 38 additions and 1 deletions
--- a/Lib/uu.py
+++ b/Lib/uu.py
@ -133,7 +133,14 @@ def decode(in_file, out_file=None, mode=None, quiet=False):
            # If the filename isn't ASCII, what's up with that?!?
            out_file = hdrfields[2].rstrip(b' \t\r\n\f').decode("ascii")
            if os.path.exists(out_file):
-                raise Error('Cannot overwrite existing file: %s' % out_file)
+                raise Error(f'Cannot overwrite existing file: {out_file}')
+            if (out_file.startswith(os.sep) or
+                f'..{os.sep}' in out_file or (
+                    os.altsep and
+                    (out_file.startswith(os.altsep) or
+                     f'..{os.altsep}' in out_file))
+               ):
+                raise Error(f'Refusing to write to {out_file} due to directory traversal')
        if mode is None:
            mode = int(hdrfields[1], 8)
        #