Directory traversal in uu module / uu.decode #99889
Description
Bug report
The function uu.decode is vulnerable to trivial directory traversal if no output filename is given. An uu-encoded file with a path starting with a repetition of ../../ or a / allows writing a file to an arbitrary location on the filesystem.
I reported this to security@python.org and was asked to report it publicly as the function is rarely used and removal is planned anyway for Python 3.13.
Your environment
CPython versions tested on: 3.10.8
Operating system and architecture: Linux
example files
Case 1:
begin 644 ../../../../../../../../tmp/test1
$86)C"@``
`
end
Case 2:
begin 644 /tmp/test2
$86)C"@``
`
end
Linked PRs
- gh-99889: Fix directory traversal security flaw in uu.decode() #104096
- [3.11] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096) #104329
- [3.10] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096) #104330
- [3.9] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096) #104331
- [3.8] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096) #104332
- [3.7] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096) #104333