classification
Title: [security] directory traversal in tempfile prefix
Type: security Stage: patch review
Components: Library (Lib) Versions: Python 3.8
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: Yusuke Endoh, cheryl.sabella, lukasz.langa, thorleon, vstinner
Priority: normal Keywords: patch

Created on 2018-11-19 12:46 by Yusuke Endoh, last changed 2019-02-10 22:15 by cheryl.sabella.

Files
File name Uploaded Description Edit
bpo-35278.patch thorleon, 2018-11-21 01:35
Pull Requests
URL Status Linked Edit
PR 10627 open python-dev, 2018-11-21 01:20
Messages (4)
msg330097 - (view) Author: Yusuke Endoh (Yusuke Endoh) Date: 2018-11-19 12:46
Hello,

The tempfile library does not check the prefix argument, which can be exploited to create files outside tmpdir by using directory traversal.

```
>>> import tempfile
>>> tempfile.gettempprefix()
'tmp'
>>> f = tempfile.NamedTemporaryFile(prefix="/home/mame/cracked")
>>> f.name
'/home/mame/crackedlt3y_ddm'
```

The same issue was found and treated as a vulnerability in PHP (CVE-2006-1494) and Ruby (CVE-2018-6914).

I first reported this issue to security@python.org at July 2018.  Some people kindly discussed it, and finally I was told to create a ticket here.
msg330100 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2018-11-19 14:05
Ruby handled this issue as a vulnerability:
https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/

The doc of "gettempprefix" says "This does not contain the directory component", so it is natural for users to think "prefix" will accept only a file name.

Maybe we can silently truncated the directort part of the prefix to only keep the base name in stable branches, but raise an exception in Python 3.8? Or maybe emit a deprecation warning in Python 3.7?
msg330169 - (view) Author: Tomasz Jezierski (thorleon) * Date: 2018-11-21 01:35
Hello,
I have created patch and MR for the Python 3.8 "exception" approach.

For the reference here is patch for ruby:
https://github.com/ruby/ruby/commit/e9ddf2ba41a0bffe1047e33576affd48808c5d0b

Maybe we should consider also validation on suffix as in their solution?
msg335174 - (view) Author: Cheryl Sabella (cheryl.sabella) * (Python triager) Date: 2019-02-10 22:15
Adding Łukasz to the nosy list as release manager.
History
Date User Action Args
2019-02-10 22:15:29cheryl.sabellasetnosy: + cheryl.sabella, lukasz.langa
messages: + msg335174
2018-11-21 01:35:03thorleonsetfiles: + bpo-35278.patch
nosy: + thorleon
messages: + msg330169

2018-11-21 01:20:30python-devsetkeywords: + patch
stage: patch review
pull_requests: + pull_request9875
2018-11-19 14:08:55vstinnersettitle: directory traversal in tempfile prefix -> [security] directory traversal in tempfile prefix
2018-11-19 14:05:50vstinnersetnosy: + vstinner
messages: + msg330100
2018-11-19 12:46:03Yusuke Endohcreate