This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Remove newline characters from uu encoding methods
Type: security Stage: resolved
Components: Versions: Python 3.9, Python 3.8, Python 3.7, Python 3.6, Python 3.5, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: gvanrossum, larry, miss-islington, ned.deily, stealthcopter
Priority: normal Keywords: patch

Created on 2019-11-30 17:06 by stealthcopter, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 17418 merged stealthcopter, 2019-11-30 17:06
PR 17442 merged miss-islington, 2019-12-02 22:25
PR 17443 merged miss-islington, 2019-12-02 22:25
PR 17444 merged miss-islington, 2019-12-02 22:25
PR 17445 merged ned.deily, 2019-12-03 00:50
PR 17452 merged stealthcopter, 2019-12-03 17:32
Messages (8)
msg357660 - (view) Author: stealthcopter (stealthcopter) * Date: 2019-11-30 17:06
Filenames passed to the UU encoding methods (uu.py and uu_codec.py) that contain a newline character will overflow data into the UU content section. This can potentially be used to inject replace or corrupt data content in a file during the decode process.

Initially discussed via the PSRT but deemed low risk so suggested I create a PR with the changes and a BPO.
msg357730 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2019-12-02 22:25
New changeset a62ad4730c9b575f140f24074656c0257c86a09a by Guido van Rossum (Matthew Rollings) in branch 'master':
bpo-38945: UU Encoding: Don't let newline in filename corrupt the output format (#17418)
https://github.com/python/cpython/commit/a62ad4730c9b575f140f24074656c0257c86a09a
msg357731 - (view) Author: miss-islington (miss-islington) Date: 2019-12-02 22:43
New changeset 87f2d261ee1c63ed39517355833d087c5a78b4bf by Miss Islington (bot) in branch '3.7':
bpo-38945: UU Encoding: Don't let newline in filename corrupt the output format (GH-17418)
https://github.com/python/cpython/commit/87f2d261ee1c63ed39517355833d087c5a78b4bf
msg357732 - (view) Author: miss-islington (miss-islington) Date: 2019-12-02 22:44
New changeset 8859fc629474ab1ca7eb2e67aec538097c327e58 by Miss Islington (bot) in branch '3.8':
bpo-38945: UU Encoding: Don't let newline in filename corrupt the output format (GH-17418)
https://github.com/python/cpython/commit/8859fc629474ab1ca7eb2e67aec538097c327e58
msg357734 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2019-12-02 23:34
New changeset 30afc91f5e70cf4748ffac77a419ba69ebca6f6a by Ned Deily (Miss Islington (bot)) in branch '3.6':
bpo-38945: UU Encoding: Don't let newline in filename corrupt the output format (GH-17418) (GH-17444)
https://github.com/python/cpython/commit/30afc91f5e70cf4748ffac77a419ba69ebca6f6a
msg357735 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2019-12-02 23:37
(Now waiting for 2.7 backport by stealthcopter.)
msg357756 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2019-12-03 18:18
New changeset a016d4e32cc9faa48105d00db275439c3dc93559 by Guido van Rossum (Matthew Rollings) in branch '2.7':
[2.7] bpo-38945: UU Encoding: Don't let newline in filename corrupt the output format (GH-17418). (#17452)
https://github.com/python/cpython/commit/a016d4e32cc9faa48105d00db275439c3dc93559
msg364726 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2020-03-21 05:42
New changeset 8835f465fa94f114dcf865429c0410821d365dae by Ned Deily in branch '3.5':
bpo-38945: UU Encoding: Don't let newline in filename corrupt the output format (GH-17418) (GH-17444) (#17445)
https://github.com/python/cpython/commit/8835f465fa94f114dcf865429c0410821d365dae
History
Date User Action Args
2022-04-11 14:59:23adminsetgithub: 83126
2020-03-21 08:39:28larrysetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2020-03-21 05:42:57larrysetnosy: + larry
messages: + msg364726
2019-12-03 18:18:59gvanrossumsetmessages: + msg357756
2019-12-03 17:32:43stealthcoptersetpull_requests: + pull_request16933
2019-12-03 00:52:20ned.deilysetversions: + Python 3.5
2019-12-03 00:50:14ned.deilysetpull_requests: + pull_request16926
2019-12-02 23:39:38ned.deilysetversions: + Python 2.7, Python 3.6, Python 3.7, Python 3.8, Python 3.9
2019-12-02 23:37:00gvanrossumsetmessages: + msg357735
2019-12-02 23:34:37ned.deilysetnosy: + ned.deily
messages: + msg357734
2019-12-02 22:44:47miss-islingtonsetmessages: + msg357732
2019-12-02 22:43:19miss-islingtonsetnosy: + miss-islington
messages: + msg357731
2019-12-02 22:25:48miss-islingtonsetpull_requests: + pull_request16925
2019-12-02 22:25:42miss-islingtonsetpull_requests: + pull_request16924
2019-12-02 22:25:36miss-islingtonsetkeywords: + patch
stage: patch review
pull_requests: + pull_request16923
2019-12-02 22:25:28gvanrossumsetnosy: + gvanrossum
messages: + msg357730
2019-11-30 17:06:01stealthcoptercreate