File: CVE-2026-24486.patch

package info (click to toggle)
python-multipart 0.0.20-1.1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 812 kB
  • sloc: python: 2,226; sh: 17; makefile: 5
file content (63 lines) | stat: -rw-r--r-- 2,146 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
 
From: Marcelo Trylesinski <marcelotryle@gmail.com>
Date: Sun, 25 Jan 2026 10:37:09 +0100
Subject: Merge commit from fork
Origin: https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4
Bug-Debian: https://bugs.debian.org/1126557
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-24486

---
 python_multipart/multipart.py |  4 +++-
 tests/test_file.py            | 26 ++++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 tests/test_file.py

diff --git a/python_multipart/multipart.py b/python_multipart/multipart.py
index 0cc4c82ebdf6..1489b7afd55d 100644
--- a/python_multipart/multipart.py
+++ b/python_multipart/multipart.py
@@ -375,7 +375,9 @@ class File:
 
         # Split the extension from the filename.
         if file_name is not None:
-            base, ext = os.path.splitext(file_name)
+            # Extract just the basename to avoid directory traversal
+            basename = os.path.basename(file_name)
+            base, ext = os.path.splitext(basename)
             self._file_base = base
             self._ext = ext
 
diff --git a/tests/test_file.py b/tests/test_file.py
new file mode 100644
index 000000000000..4d65232e1ad3
--- /dev/null
+++ b/tests/test_file.py
@@ -0,0 +1,26 @@
+from pathlib import Path
+
+from python_multipart.multipart import File
+
+
+def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path):
+    upload_dir = tmp_path / "upload"
+    upload_dir.mkdir()
+
+    # When the file_name provided has a leading slash, we should only use the basename.
+    # This is to avoid directory traversal.
+    to_upload = tmp_path / "foo.txt"
+
+    file = File(
+        bytes(to_upload),
+        config={
+            "UPLOAD_DIR": bytes(upload_dir),
+            "UPLOAD_KEEP_FILENAME": True,
+            "UPLOAD_KEEP_EXTENSIONS": True,
+            "MAX_MEMORY_FILE_SIZE": 10,
+        },
+    )
+    file.write(b"123456789012")
+    assert not file.in_memory
+    assert Path(upload_dir / "foo.txt").exists()
+    assert Path(upload_dir / "foo.txt").read_bytes() == b"123456789012"
-- 
2.51.0