bpo-38945: UU Encoding: Don't let newline in filename corrupt the output format ...

author Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>

Mon, 2 Dec 2019 22:25:21 +0000 (22:25 +0000)

committer Guido van Rossum <guido@python.org>

Mon, 2 Dec 2019 22:25:21 +0000 (14:25 -0800)
author Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>
Mon, 2 Dec 2019 22:25:21 +0000 (22:25 +0000)
committer Guido van Rossum <guido@python.org>
Mon, 2 Dec 2019 22:25:21 +0000 (14:25 -0800)
diff --git a/Lib/encodings/uu_codec.py b/Lib/encodings/uu_codec.py

index 2a5728fb5b74ad648dc2265afb34010d2d0a0552..4e58c62fe9ef0f37576e8c10b19bf5abc454239c 100644 (file)
--- a/Lib/encodings/uu_codec.py
+++ b/Lib/encodings/uu_codec.py
@@ -20,6 +20,10 @@ def uu_encode(input, errors='strict', filename='<data>', mode=0o666):
      read = infile.read
      write = outfile.write
  
+    # Remove newline chars from filename
+    filename = filename.replace('\n','\\n')
+    filename = filename.replace('\r','\\r')
+
      # Encode
      write(('begin %o %s\n' % (mode & 0o777, filename)).encode('ascii'))
      chunk = read(45)
diff --git a/Lib/test/test_uu.py b/Lib/test/test_uu.py

index c9f05e5b760d922cfaddf4a509d2fbc317b8b97f..c8709f7a0d6660fdfc412a52f33cd0793ab0ac67 100644 (file)
--- a/Lib/test/test_uu.py
+++ b/Lib/test/test_uu.py
@@ -136,6 +136,15 @@ class UUTest(unittest.TestCase):
                  decoded = codecs.decode(encodedtext, "uu_codec")
                  self.assertEqual(decoded, plaintext)
  
+    def test_newlines_escaped(self):
+        # Test newlines are escaped with uu.encode
+        inp = io.BytesIO(plaintext)
+        out = io.BytesIO()
+        filename = "test.txt\n\roverflow.txt"
+        safefilename = b"test.txt\\n\\roverflow.txt"
+        uu.encode(inp, out, filename)
+        self.assertIn(safefilename, out.getvalue())
+
  class UUStdIOTest(unittest.TestCase):
  
      def setUp(self):
diff --git a/Lib/uu.py b/Lib/uu.py

index 9b1e5e607207f789deec21efa1a19fb8a5f7a788..9f1f37f1a64101302d50a74c638bbe45c515a125 100755 (executable)
--- a/Lib/uu.py
+++ b/Lib/uu.py
@@ -73,6 +73,13 @@ def encode(in_file, out_file, name=None, mode=None, *, backtick=False):
              name = '-'
          if mode is None:
              mode = 0o666
+
+        #
+        # Remove newline chars from name
+        #
+        name = name.replace('\n','\\n')
+        name = name.replace('\r','\\r')
+
          #
          # Write the data
          #
diff --git a/Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst b/Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst

new file mode 100644 (file)

index 0000000..1bf6ed5
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst
@@ -0,0 +1 @@
+Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process.
+\ No newline at end of file
author	Matthew Rollings <1211162+stealthcopter@users.noreply.github.com>
	Mon, 2 Dec 2019 22:25:21 +0000 (22:25 +0000)
committer	Guido van Rossum <guido@python.org>
	Mon, 2 Dec 2019 22:25:21 +0000 (14:25 -0800)
Lib/encodings/uu_codec.py		patch \| blob \| blame \| history
Lib/test/test_uu.py		patch \| blob \| blame \| history
Lib/uu.py		patch \| blob \| blame \| history
Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst	[new file with mode: 0644]	patch \| blob