bpo-35278: Sanitize tempfile prefix to prevent directory treversal #10627
Conversation
|
Hello, and thanks for your contribution! I'm a bot set up to make sure that the project can legally accept your contribution by verifying you have signed the PSF contributor agreement (CLA). Our records indicate we have not received your CLA. For legal reasons we need you to sign this before we can look at your contribution. Please follow the steps outlined in the CPython devguide to rectify this issue. If you have recently signed the CLA, please wait at least one business day You can check yourself to see if the CLA has been received. Thanks again for your contribution, we look forward to reviewing it! |
| @@ -121,6 +127,12 @@ def _sanitize_params(prefix, suffix, dir): | |||
| prefix = template | |||
| else: | |||
| prefix = _os.fsencode(template) | |||
| if output_type is str: | |||
| if any(sep in prefix for sep in _path_separators): | |||
| raise ValueError("Prefix contains system separator character") | |||
There was a problem hiding this comment.
It is called a pathname components separator.
| if output_type is str: | ||
| if any(sep in prefix for sep in _path_separators): |
There was a problem hiding this comment.
You can simply test that os.path.dirname(prefix+suffix) is empty.
There was a problem hiding this comment.
I would also prefer to reuse dirname() function.
|
|
||
| def test_throw_exception_on_encoded_path_separator_detection(self): | ||
| with self.assertRaises(ValueError): | ||
| tempfile.mkstemp(prefix=f"{os.fsencode(os.sep)}home") |
There was a problem hiding this comment.
It does not work as you expected. On Posix it generates prefix "b'/'home".
Use os.fsencode(f"{os.sep}home").
| @unittest.skipIf(os.altsep is None, "os.altsep is not present on this platform") | ||
| def test_throw_exception_on_alternative_path_separator_detection(self): | ||
| with self.assertRaises(ValueError): | ||
| tempfile.mkstemp(prefix=f"{os.altsep}home") |
There was a problem hiding this comment.
You need also a test for bytes prefix with altsep.
Add also tests for suffix containing a pathname components separator.
Add also tests for other functions that use _sanitize_params().
It will be too wasteful to add 24 separate test methods, so you should test several cases per method method.
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase And if you don't make the requested changes, you will be put in the comfy chair! |
|
This PR is stale because it has been open for 30 days with no activity. |
_sanitize_paramsfunction in order to detect malicious pathhttps://bugs.python.org/issue35278