Author steve.dower
Recipients benjamin.peterson, georg.brandl, larry, ned.deily, paul.moore, serhiy.storchaka, steve.dower, tim.golden, zach.ware
Date 2017-07-01.04:37:07
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1498883827.43.0.157852676739.issue30730@psf.upfronthosting.co.za>
In-reply-to
Content
It's certainly exploitable for remote code execution if user data allows embedded nulls (can you URL encode %00?). The fixes look fine and shouldn't cause any new issues, though I thought that fsencode() already rejected embedded nulls - maybe I'm thinking of the argument converter though, which is not invoked here.
History
Date User Action Args
2017-07-01 04:37:07steve.dowersetrecipients: + steve.dower, georg.brandl, paul.moore, larry, tim.golden, benjamin.peterson, ned.deily, zach.ware, serhiy.storchaka
2017-07-01 04:37:07steve.dowersetmessageid: <1498883827.43.0.157852676739.issue30730@psf.upfronthosting.co.za>
2017-07-01 04:37:07steve.dowerlinkissue30730 messages
2017-07-01 04:37:07steve.dowercreate