Bug report
The function uu.decode is vulnerable to trivial directory traversal if no output filename is given. An uu-encoded file with a path starting with a repetition of ../../ or a / allows writing a file to an arbitrary location on the filesystem.
I reported this to security@python.org and was asked to report it publicly as the function is rarely used and removal is planned anyway for Python 3.13.
Your environment
CPython versions tested on: 3.10.8
Operating system and architecture: Linux
example files
Case 1:
begin 644 ../../../../../../../../tmp/test1
$86)C"@``
`
end
Case 2:
begin 644 /tmp/test2
$86)C"@``
`
end
Linked PRs
Reactions are currently unavailable
Bug report
The function uu.decode is vulnerable to trivial directory traversal if no output filename is given. An uu-encoded file with a path starting with a repetition of ../../ or a / allows writing a file to an arbitrary location on the filesystem.
I reported this to security@python.org and was asked to report it publicly as the function is rarely used and removal is planned anyway for Python 3.13.
Your environment
CPython versions tested on: 3.10.8
Operating system and architecture: Linux
example files
Case 1:
Case 2:
Linked PRs