mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity

python3-python-multipart: patch CVE-2026-24486

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24486

Pick the patch that is referenced by the NVD advisory.

Ptests passed successfully:

Testsuite summary
 TOTAL: 121
 PASS: 121
 SKIP: 0
 XFAIL: 0
 FAIL: 0
 XPASS: 0
 ERROR: 0
DURATION: 2

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Gyorgy Sarvari
2026-02-05 13:04:21 +01:00
committed by Anuj Mittal
parent 80a5465833
commit b6fe5458db
2 changed files with 62 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-python/recipes-devtools/python/python3-python-multipart/CVE-2026-24486.patch
+61
View File
@@ -0,0 +1,61 @@
From 1194f169d7f6db3b518c40ef703135ffc4015ebe Mon Sep 17 00:00:00 2001
From: Marcelo Trylesinski <marcelotryle@gmail.com>
Date: Sun, 25 Jan 2026 10:37:09 +0100
Subject: [PATCH] Merge commit from fork
CVE: CVE-2026-24486
Upstream-Status: Backport [https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
python_multipart/multipart.py | 4 +++-
tests/test_file.py | 26 ++++++++++++++++++++++++++
2 files changed, 29 insertions(+), 1 deletion(-)
create mode 100644 tests/test_file.py
diff --git a/python_multipart/multipart.py b/python_multipart/multipart.py
index f26a815..7168c96 100644
--- a/python_multipart/multipart.py
+++ b/python_multipart/multipart.py
@@ -376,7 +376,9 @@ class File:
# Split the extension from the filename.
if file_name is not None:
- base, ext = os.path.splitext(file_name)
+ # Extract just the basename to avoid directory traversal
+ basename = os.path.basename(file_name)
+ base, ext = os.path.splitext(basename)
self._file_base = base
self._ext = ext
diff --git a/tests/test_file.py b/tests/test_file.py
new file mode 100644
index 0000000..4d65232
--- /dev/null
+++ b/tests/test_file.py
@@ -0,0 +1,26 @@
+from pathlib import Path
+
+from python_multipart.multipart import File
+
+
+def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path):
+ upload_dir = tmp_path / "upload"
+ upload_dir.mkdir()
+
+ # When the file_name provided has a leading slash, we should only use the basename.
+ # This is to avoid directory traversal.
+ to_upload = tmp_path / "foo.txt"
+
+ file = File(
+ bytes(to_upload),
+ config={
+ "UPLOAD_DIR": bytes(upload_dir),
+ "UPLOAD_KEEP_FILENAME": True,
+ "UPLOAD_KEEP_EXTENSIONS": True,
+ "MAX_MEMORY_FILE_SIZE": 10,
+ },
+ )
+ file.write(b"123456789012")
+ assert not file.in_memory
+ assert Path(upload_dir / "foo.txt").exists()
+ assert Path(upload_dir / "foo.txt").read_bytes() == b"123456789012"