Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Lib/encodings/uu_codec.py4
-rw-r--r--Lib/test/test_uu.py9
-rwxr-xr-xLib/uu.py7
-rw-r--r--Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst1
4 files changed, 21 insertions, 0 deletions
diff --git a/Lib/encodings/uu_codec.py b/Lib/encodings/uu_codec.py
index 2a5728fb5b7..4e58c62fe9e 100644
--- a/Lib/encodings/uu_codec.py
+++ b/Lib/encodings/uu_codec.py
@@ -20,6 +20,10 @@ def uu_encode(input, errors='strict', filename='<data>', mode=0o666):
read = infile.read
write = outfile.write
+ # Remove newline chars from filename
+ filename = filename.replace('\n','\\n')
+ filename = filename.replace('\r','\\r')
+
# Encode
write(('begin %o %s\n' % (mode & 0o777, filename)).encode('ascii'))
chunk = read(45)
diff --git a/Lib/test/test_uu.py b/Lib/test/test_uu.py
index 73564789813..3503d76b859 100644
--- a/Lib/test/test_uu.py
+++ b/Lib/test/test_uu.py
@@ -114,6 +114,15 @@ class UUTest(unittest.TestCase):
decoded = codecs.decode(encodedtext, "uu_codec")
self.assertEqual(decoded, plaintext)
+ def test_newlines_escaped(self):
+ # Test newlines are escaped with uu.encode
+ inp = io.BytesIO(plaintext)
+ out = io.BytesIO()
+ filename = "test.txt\n\roverflow.txt"
+ safefilename = b"test.txt\\n\\roverflow.txt"
+ uu.encode(inp, out, filename)
+ self.assertIn(safefilename, out.getvalue())
+
class UUStdIOTest(unittest.TestCase):
def setUp(self):
diff --git a/Lib/uu.py b/Lib/uu.py
index d68d29374a8..3a8c31cff06 100755
--- a/Lib/uu.py
+++ b/Lib/uu.py
@@ -73,6 +73,13 @@ def encode(in_file, out_file, name=None, mode=None):
name = '-'
if mode is None:
mode = 0o666
+
+ #
+ # Remove newline chars from name
+ #
+ name = name.replace('\n','\\n')
+ name = name.replace('\r','\\r')
+
#
# Write the data
#
diff --git a/Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst b/Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst
new file mode 100644
index 00000000000..1bf6ed567b2
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-12-01-22-44-40.bpo-38945.ztmNXc.rst
@@ -0,0 +1 @@
+Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process. \ No newline at end of file