traverseda
/
cpython
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[2.7] bpo-38945: UU Encoding: Don't let newline in filename corrupt the output format (GH-17418). (#17452) 

(cherry picked from commit a62ad4730c)

Co-authored-by: Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>
This commit is contained in:
Matthew Rollings 2019-12-03 18:18:52 +00:00 committed by Guido van Rossum
parent 864207181d
commit a016d4e32c
4 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Lib/encodings/uu_codec.py
View File

@ -31,6 +31,10 @@ def uu_encode(input,errors='strict',filename='<data>',mode=0666):
read = infile.read read = infile.read
write = outfile.write write = outfile.write
# Remove newline chars from filename
filename = filename.replace('\n','\\n')
filename = filename.replace('\r','\\r')
# Encode # Encode
write('begin %o %s\n' % (mode & 0777, filename)) write('begin %o %s\n' % (mode & 0777, filename))
chunk = read(45) chunk = read(45)

10
Lib/test/test_uu.py
View File

@ -9,6 +9,7 @@ from test import test_support as support
import cStringIO import cStringIO
import sys import sys
import uu import uu
import io
plaintext = "The smooth-scaled python crept over the sleeping dog\n" plaintext = "The smooth-scaled python crept over the sleeping dog\n"
@ -82,6 +83,15 @@ class UUTest(unittest.TestCase):
decoded = codecs.decode(encodedtext, "uu_codec") decoded = codecs.decode(encodedtext, "uu_codec")
self.assertEqual(decoded, plaintext) self.assertEqual(decoded, plaintext)
def test_newlines_escaped(self):
# Test newlines are escaped with uu.encode
inp = io.BytesIO(plaintext)
out = io.BytesIO()
filename = "test.txt\n\roverflow.txt"
safefilename = b"test.txt\\n\\roverflow.txt"
uu.encode(inp, out, filename)
self.assertIn(safefilename, out.getvalue())
class UUStdIOTest(unittest.TestCase): class UUStdIOTest(unittest.TestCase):
def setUp(self): def setUp(self):

7
Lib/uu.py
View File

@ -73,6 +73,13 @@ def encode(in_file, out_file, name=None, mode=None):
name = '-' name = '-'
if mode is None: if mode is None:
mode = 0666 mode = 0666
#
# Remove newline chars from name
#
name = name.replace('\n','\\n')
name = name.replace('\r','\\r')
# #
# Write the data # Write the data
# #

1
Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst Normal file
View File

@ -0,0 +1 @@
Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process.