[issue35278] [security] directory traversal in tempfile prefix

Change by Gregory P. Smith : -- versions: +Python 3.10, Python 3.6, Python 3.7, Python 3.9 ___ Python tracker ___ ___ Python-bugs-li

[issue35278] [security] directory traversal in tempfile prefix

Martijn Pieters added the comment: I found this issue after helping someone solve a Stack Overflow question at https://stackoverflow.com/q/58767241/100297; they eventually figured out that their prefix was a path, not a path element. I'd be all in favour of making tempfile._sanitize_params e

[issue35278] [security] directory traversal in tempfile prefix

Oliver Bestwalter added the comment: I am not sure if this justifies a new issue so I add this here. The suffix parameter can also be used for a traversal attack. It is possible to completely clobber anything in dir and prefix (at least on Windows). e.g. calling mkdtemp or NamedTemporaryFile

[issue35278] [security] directory traversal in tempfile prefix

Cheryl Sabella added the comment: Adding Łukasz to the nosy list as release manager. -- nosy: +cheryl.sabella, lukasz.langa ___ Python tracker ___ _

[issue35278] [security] directory traversal in tempfile prefix

Tomasz Jezierski added the comment: Hello, I have created patch and MR for the Python 3.8 "exception" approach. For the reference here is patch for ruby: https://github.com/ruby/ruby/commit/e9ddf2ba41a0bffe1047e33576affd48808c5d0b Maybe we should consider also validation on suffix as in their

[issue35278] [security] directory traversal in tempfile prefix

Change by Roundup Robot : -- keywords: +patch pull_requests: +9875 stage: -> patch review ___ Python tracker ___ ___ Python-bugs-li

[issue35278] [security] directory traversal in tempfile prefix

Change by STINNER Victor : -- title: directory traversal in tempfile prefix -> [security] directory traversal in tempfile prefix ___ Python tracker ___ ___