This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients Yusuke Endoh, vstinner
Date 2018-11-19.14:05:49
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1542636350.08.0.788709270274.issue35278@psf.upfronthosting.co.za>
In-reply-to
Content
Ruby handled this issue as a vulnerability:
https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/

The doc of "gettempprefix" says "This does not contain the directory component", so it is natural for users to think "prefix" will accept only a file name.

Maybe we can silently truncated the directort part of the prefix to only keep the base name in stable branches, but raise an exception in Python 3.8? Or maybe emit a deprecation warning in Python 3.7?
History
Date User Action Args
2018-11-19 14:05:50vstinnersetrecipients: + vstinner, Yusuke Endoh
2018-11-19 14:05:50vstinnersetmessageid: <1542636350.08.0.788709270274.issue35278@psf.upfronthosting.co.za>
2018-11-19 14:05:50vstinnerlinkissue35278 messages
2018-11-19 14:05:49vstinnercreate