[2.7] bpo-38945: UU Encoding: Don't let newline in filename corrupt the output format...

author Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>

Tue, 3 Dec 2019 18:18:52 +0000 (18:18 +0000)

committer Guido van Rossum <guido@python.org>

Tue, 3 Dec 2019 18:18:52 +0000 (10:18 -0800)
author Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>
Tue, 3 Dec 2019 18:18:52 +0000 (18:18 +0000)
committer Guido van Rossum <guido@python.org>
Tue, 3 Dec 2019 18:18:52 +0000 (10:18 -0800)
diff --git a/Lib/encodings/uu_codec.py b/Lib/encodings/uu_codec.py

index 5cb0d2b13e07127532dd47d755f0a1d187de917a..fcd5aa45a9708c6872005cb9f63c63c44dbf881e 100644 (file)
--- a/Lib/encodings/uu_codec.py
+++ b/Lib/encodings/uu_codec.py
@@ -31,6 +31,10 @@ def uu_encode(input,errors='strict',filename='<data>',mode=0666):
      read = infile.read
      write = outfile.write
  
+    # Remove newline chars from filename
+    filename = filename.replace('\n','\\n')
+    filename = filename.replace('\r','\\r')
+
      # Encode
      write('begin %o %s\n' % (mode & 0777, filename))
      chunk = read(45)
diff --git a/Lib/test/test_uu.py b/Lib/test/test_uu.py

index df41cbc12d40d086ae718a856ee0de360c57040a..f016bb2c67ea2f2e4e4f971b14b07d86400380f9 100644 (file)
--- a/Lib/test/test_uu.py
+++ b/Lib/test/test_uu.py
@@ -9,6 +9,7 @@ from test import test_support as support
  import cStringIO
  import sys
  import uu
+import io
  
  plaintext = "The smooth-scaled python crept over the sleeping dog\n"
  
@@ -82,6 +83,15 @@ class UUTest(unittest.TestCase):
          decoded = codecs.decode(encodedtext, "uu_codec")
          self.assertEqual(decoded, plaintext)
  
+    def test_newlines_escaped(self):
+        # Test newlines are escaped with uu.encode
+        inp = io.BytesIO(plaintext)
+        out = io.BytesIO()
+        filename = "test.txt\n\roverflow.txt"
+        safefilename = b"test.txt\\n\\roverflow.txt"
+        uu.encode(inp, out, filename)
+        self.assertIn(safefilename, out.getvalue())
+
  class UUStdIOTest(unittest.TestCase):
  
      def setUp(self):
diff --git a/Lib/uu.py b/Lib/uu.py

index f8fa4c4757661b1af3b32166ed3ff17ccde2b3ad..8eaea5960dffe14461ccb4c07ecb2f8f6c255a2a 100755 (executable)
--- a/Lib/uu.py
+++ b/Lib/uu.py
@@ -73,6 +73,13 @@ def encode(in_file, out_file, name=None, mode=None):
              name = '-'
          if mode is None:
              mode = 0666
+
+        #
+        # Remove newline chars from name
+        #
+        name = name.replace('\n','\\n')
+        name = name.replace('\r','\\r')
+
          #
          # Write the data
          #
diff --git a/Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst b/Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst

new file mode 100644 (file)

index 0000000..1bf6ed5
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst
@@ -0,0 +1 @@
+Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process.
+\ No newline at end of file
author	Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>
	Tue, 3 Dec 2019 18:18:52 +0000 (18:18 +0000)
committer	Guido van Rossum <guido@python.org>
	Tue, 3 Dec 2019 18:18:52 +0000 (10:18 -0800)
Lib/encodings/uu_codec.py		patch \| blob \| blame \| history
Lib/test/test_uu.py		patch \| blob \| blame \| history
Lib/uu.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst	[new file with mode: 0644]	patch \| blob