bpo-38945: UU Encoding: Don't let newline in filename corrupt the output format ...

author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>

Mon, 2 Dec 2019 23:34:31 +0000 (15:34 -0800)

committer Ned Deily <nad@python.org>

Mon, 2 Dec 2019 23:34:31 +0000 (18:34 -0500)
author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Mon, 2 Dec 2019 23:34:31 +0000 (15:34 -0800)
committer Ned Deily <nad@python.org>
Mon, 2 Dec 2019 23:34:31 +0000 (18:34 -0500)
diff --git a/Lib/encodings/uu_codec.py b/Lib/encodings/uu_codec.py

index 2a5728fb5b74ad648dc2265afb34010d2d0a0552..4e58c62fe9ef0f37576e8c10b19bf5abc454239c 100644 (file)
--- a/Lib/encodings/uu_codec.py
+++ b/Lib/encodings/uu_codec.py
@@ -20,6 +20,10 @@ def uu_encode(input, errors='strict', filename='<data>', mode=0o666):
      read = infile.read
      write = outfile.write
  
+    # Remove newline chars from filename
+    filename = filename.replace('\n','\\n')
+    filename = filename.replace('\r','\\r')
+
      # Encode
      write(('begin %o %s\n' % (mode & 0o777, filename)).encode('ascii'))
      chunk = read(45)
diff --git a/Lib/test/test_uu.py b/Lib/test/test_uu.py

index 735647898137ef4969d66c1c15d0a0ed449d3418..3503d76b8597ff3d889c4dc662cf4ba789c68532 100644 (file)
--- a/Lib/test/test_uu.py
+++ b/Lib/test/test_uu.py
@@ -114,6 +114,15 @@ class UUTest(unittest.TestCase):
              decoded = codecs.decode(encodedtext, "uu_codec")
              self.assertEqual(decoded, plaintext)
  
+    def test_newlines_escaped(self):
+        # Test newlines are escaped with uu.encode
+        inp = io.BytesIO(plaintext)
+        out = io.BytesIO()
+        filename = "test.txt\n\roverflow.txt"
+        safefilename = b"test.txt\\n\\roverflow.txt"
+        uu.encode(inp, out, filename)
+        self.assertIn(safefilename, out.getvalue())
+
  class UUStdIOTest(unittest.TestCase):
  
      def setUp(self):
diff --git a/Lib/uu.py b/Lib/uu.py

index d68d29374a8bbfafe7108fca56c40730215ada5e..3a8c31cff06d8f5842db916f5470024c9d7fb333 100755 (executable)
--- a/Lib/uu.py
+++ b/Lib/uu.py
@@ -73,6 +73,13 @@ def encode(in_file, out_file, name=None, mode=None):
              name = '-'
          if mode is None:
              mode = 0o666
+
+        #
+        # Remove newline chars from name
+        #
+        name = name.replace('\n','\\n')
+        name = name.replace('\r','\\r')
+
          #
          # Write the data
          #
diff --git a/Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst b/Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst

new file mode 100644 (file)

index 0000000..1bf6ed5
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst
@@ -0,0 +1 @@
+Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process.
+\ No newline at end of file
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
	Mon, 2 Dec 2019 23:34:31 +0000 (15:34 -0800)
committer	Ned Deily <nad@python.org>
	Mon, 2 Dec 2019 23:34:31 +0000 (18:34 -0500)
Lib/encodings/uu_codec.py		patch \| blob \| blame \| history
Lib/test/test_uu.py		patch \| blob \| blame \| history
Lib/uu.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst	[new file with mode: 0644]	patch \| blob