-
-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[security] directory traversal in tempfile prefix #79459
Comments
Hello, The tempfile library does not check the prefix argument, which can be exploited to create files outside tmpdir by using directory traversal.
The same issue was found and treated as a vulnerability in PHP (CVE-2006-1494) and Ruby (CVE-2018-6914). I first reported this issue to security@python.org at July 2018. Some people kindly discussed it, and finally I was told to create a ticket here. |
Ruby handled this issue as a vulnerability: The doc of "gettempprefix" says "This does not contain the directory component", so it is natural for users to think "prefix" will accept only a file name. Maybe we can silently truncated the directort part of the prefix to only keep the base name in stable branches, but raise an exception in Python 3.8? Or maybe emit a deprecation warning in Python 3.7? |
Hello, For the reference here is patch for ruby: Maybe we should consider also validation on suffix as in their solution? |
Adding Łukasz to the nosy list as release manager. |
I am not sure if this justifies a new issue so I add this here. The suffix parameter can also be used for a traversal attack. It is possible to completely clobber anything in dir and prefix (at least on Windows). e.g. calling mkdtemp or NamedTemporaryFile with these paramers ... dir=r"C:\tmp",
prefix="pre",
suffix="../../../../../../../../../gotcha" Will result in a directory or file being created at C:/gotcha. I also wonder if this would justify adding a warning to the documentation for all existing Python versions? Quoting from the documentation of mkstemp (https://docs.python.org/3/library/tempfile.html#tempfile.mkstemp):
As both claims are rendered untrue when using suffix in the above described way I think this should be amended. |
I found this issue after helping someone solve a Stack Overflow question at https://stackoverflow.com/q/58767241/100297; they eventually figured out that their prefix was a path, not a path element. I'd be all in favour of making tempfile._sanitize_params either reject a prefix or suffix with |
Is the problem planned to be solved? I found no reply for a long time. |
So far, nobody proposed a pull request to fix the issue. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: