[issue35278] [security] directory traversal in tempfile prefix
Martijn Pieters
report at bugs.python.org
Sat Nov 9 08:09:41 EST 2019
Martijn Pieters <mj at python.org> added the comment:
I found this issue after helping someone solve a Stack Overflow question at https://stackoverflow.com/q/58767241/100297; they eventually figured out that their prefix was a path, not a path element.
I'd be all in favour of making tempfile._sanitize_params either reject a prefix or suffix with `os.sep` or `os.altsep` characters, or just take the last element of os.path.split().
----------
nosy: +mjpieters
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue35278>
_______________________________________
More information about the Python-bugs-list
mailing list