Control: tags 1126557 + patch Control: tags 1126557 + pending
Dear maintainer, I've prepared an NMU for python-multipart (versioned as 0.0.20-1.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should cancel it. I'm not sure if this warrants a DSA yet, since this affects non-default configurations, cf. https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg and I have found no reverse dependency in Debian making use of it in such a way. debusine workflow information at: https://debusine.debian.net/debian/developers/work-request/367109/ Regards, Salvatore
diffstat for python-multipart-0.0.20 python-multipart-0.0.20 changelog | 9 +++ patches/CVE-2026-24486.patch | 63 ++++++++++++++++++++++++ patches/chore-add-return-type-on-test-221.patch | 25 +++++++++ patches/series | 2 4 files changed, 99 insertions(+) diff -Nru python-multipart-0.0.20/debian/changelog python-multipart-0.0.20/debian/changelog --- python-multipart-0.0.20/debian/changelog 2025-03-14 06:14:13.000000000 +0100 +++ python-multipart-0.0.20/debian/changelog 2026-02-01 16:22:52.000000000 +0100 @@ -1,3 +1,12 @@ +python-multipart (0.0.20-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Arbitrary file write via a non-default configuration (CVE-2026-24486) + (Closes: #1126557) + * chore: add return type on test + + -- Salvatore Bonaccorso <[email protected]> Sun, 01 Feb 2026 16:22:52 +0100 + python-multipart (0.0.20-1) unstable; urgency=medium * New upstream release diff -Nru python-multipart-0.0.20/debian/patches/CVE-2026-24486.patch python-multipart-0.0.20/debian/patches/CVE-2026-24486.patch --- python-multipart-0.0.20/debian/patches/CVE-2026-24486.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-multipart-0.0.20/debian/patches/CVE-2026-24486.patch 2026-02-01 16:20:51.000000000 +0100 @@ -0,0 +1,63 @@ +From: Marcelo Trylesinski <[email protected]> +Date: Sun, 25 Jan 2026 10:37:09 +0100 +Subject: Merge commit from fork +Origin: https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4 +Bug-Debian: https://bugs.debian.org/1126557 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-24486 + +--- + python_multipart/multipart.py | 4 +++- + tests/test_file.py | 26 ++++++++++++++++++++++++++ + 2 files changed, 29 insertions(+), 1 deletion(-) + create mode 100644 tests/test_file.py + +diff --git a/python_multipart/multipart.py b/python_multipart/multipart.py +index 0cc4c82ebdf6..1489b7afd55d 100644 +--- a/python_multipart/multipart.py ++++ b/python_multipart/multipart.py +@@ -375,7 +375,9 @@ class File: + + # Split the extension from the filename. + if file_name is not None: +- base, ext = os.path.splitext(file_name) ++ # Extract just the basename to avoid directory traversal ++ basename = os.path.basename(file_name) ++ base, ext = os.path.splitext(basename) + self._file_base = base + self._ext = ext + +diff --git a/tests/test_file.py b/tests/test_file.py +new file mode 100644 +index 000000000000..4d65232e1ad3 +--- /dev/null ++++ b/tests/test_file.py +@@ -0,0 +1,26 @@ ++from pathlib import Path ++ ++from python_multipart.multipart import File ++ ++ ++def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path): ++ upload_dir = tmp_path / "upload" ++ upload_dir.mkdir() ++ ++ # When the file_name provided has a leading slash, we should only use the basename. ++ # This is to avoid directory traversal. ++ to_upload = tmp_path / "foo.txt" ++ ++ file = File( ++ bytes(to_upload), ++ config={ ++ "UPLOAD_DIR": bytes(upload_dir), ++ "UPLOAD_KEEP_FILENAME": True, ++ "UPLOAD_KEEP_EXTENSIONS": True, ++ "MAX_MEMORY_FILE_SIZE": 10, ++ }, ++ ) ++ file.write(b"123456789012") ++ assert not file.in_memory ++ assert Path(upload_dir / "foo.txt").exists() ++ assert Path(upload_dir / "foo.txt").read_bytes() == b"123456789012" +-- +2.51.0 + diff -Nru python-multipart-0.0.20/debian/patches/chore-add-return-type-on-test-221.patch python-multipart-0.0.20/debian/patches/chore-add-return-type-on-test-221.patch --- python-multipart-0.0.20/debian/patches/chore-add-return-type-on-test-221.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-multipart-0.0.20/debian/patches/chore-add-return-type-on-test-221.patch 2026-02-01 16:22:00.000000000 +0100 @@ -0,0 +1,25 @@ +From: Marcelo Trylesinski <[email protected]> +Date: Sun, 25 Jan 2026 10:41:09 +0100 +Subject: chore: add return type on test (#221) +Origin: https://github.com/Kludex/python-multipart/commit/0fb59a9df0f273bfde99740b302ccb2ae45e2b8a + +--- + tests/test_file.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/test_file.py b/tests/test_file.py +index 4d65232e1ad3..a2aa1348afdf 100644 +--- a/tests/test_file.py ++++ b/tests/test_file.py +@@ -3,7 +3,7 @@ from pathlib import Path + from python_multipart.multipart import File + + +-def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path): ++def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path) -> None: + upload_dir = tmp_path / "upload" + upload_dir.mkdir() + +-- +2.51.0 + diff -Nru python-multipart-0.0.20/debian/patches/series python-multipart-0.0.20/debian/patches/series --- python-multipart-0.0.20/debian/patches/series 2025-03-14 06:14:13.000000000 +0100 +++ python-multipart-0.0.20/debian/patches/series 2026-02-01 16:22:06.000000000 +0100 @@ -1 +1,3 @@ install-only-python_multipart.patch +CVE-2026-24486.patch +chore-add-return-type-on-test-221.patch
