[issue35278] [security] directory traversal in tempfile prefix
Oliver Bestwalter
report at bugs.python.org
Sun Apr 14 08:35:27 EDT 2019
Oliver Bestwalter <oliver at bestwalter.de> added the comment:
I am not sure if this justifies a new issue so I add this here.
The suffix parameter can also be used for a traversal attack. It is possible to completely clobber anything in dir and prefix (at least on Windows).
e.g. calling mkdtemp or NamedTemporaryFile with these paramers ...
dir=r"C:\tmp",
prefix="pre",
suffix="../../../../../../../../../gotcha"
Will result in a directory or file being created at C:/gotcha.
I also wonder if this would justify adding a warning to the documentation for all existing Python versions?
Quoting from the documentation of mkstemp (https://docs.python.org/3/library/tempfile.html#tempfile.mkstemp):
> If prefix is specified, the file name will begin with that prefix; otherwise, a default prefix is used.
>
> If dir is specified, the file will be created in that directory [...]
As both claims are rendered untrue when using suffix in the above described way I think this should be amended.
----------
nosy: +obestwalter
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue35278>
_______________________________________
More information about the Python-bugs-list
mailing list