mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
python3-python-multipart: patch CVE-2026-24486
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24486 Pick the patch that is referenced by the NVD advisory. Ptests passed successfully: Testsuite summary TOTAL: 121 PASS: 121 SKIP: 0 XFAIL: 0 FAIL: 0 XPASS: 0 ERROR: 0 DURATION: 2 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
committed by
Anuj Mittal
parent
80a5465833
commit
b6fe5458db
@@ -0,0 +1,61 @@
|
|||||||
|
From 1194f169d7f6db3b518c40ef703135ffc4015ebe Mon Sep 17 00:00:00 2001
|
||||||
|
From: Marcelo Trylesinski <marcelotryle@gmail.com>
|
||||||
|
Date: Sun, 25 Jan 2026 10:37:09 +0100
|
||||||
|
Subject: [PATCH] Merge commit from fork
|
||||||
|
|
||||||
|
CVE: CVE-2026-24486
|
||||||
|
Upstream-Status: Backport [https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4]
|
||||||
|
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||||
|
---
|
||||||
|
python_multipart/multipart.py | 4 +++-
|
||||||
|
tests/test_file.py | 26 ++++++++++++++++++++++++++
|
||||||
|
2 files changed, 29 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 tests/test_file.py
|
||||||
|
|
||||||
|
diff --git a/python_multipart/multipart.py b/python_multipart/multipart.py
|
||||||
|
index f26a815..7168c96 100644
|
||||||
|
--- a/python_multipart/multipart.py
|
||||||
|
+++ b/python_multipart/multipart.py
|
||||||
|
@@ -376,7 +376,9 @@ class File:
|
||||||
|
|
||||||
|
# Split the extension from the filename.
|
||||||
|
if file_name is not None:
|
||||||
|
- base, ext = os.path.splitext(file_name)
|
||||||
|
+ # Extract just the basename to avoid directory traversal
|
||||||
|
+ basename = os.path.basename(file_name)
|
||||||
|
+ base, ext = os.path.splitext(basename)
|
||||||
|
self._file_base = base
|
||||||
|
self._ext = ext
|
||||||
|
|
||||||
|
diff --git a/tests/test_file.py b/tests/test_file.py
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..4d65232
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/test_file.py
|
||||||
|
@@ -0,0 +1,26 @@
|
||||||
|
+from pathlib import Path
|
||||||
|
+
|
||||||
|
+from python_multipart.multipart import File
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path):
|
||||||
|
+ upload_dir = tmp_path / "upload"
|
||||||
|
+ upload_dir.mkdir()
|
||||||
|
+
|
||||||
|
+ # When the file_name provided has a leading slash, we should only use the basename.
|
||||||
|
+ # This is to avoid directory traversal.
|
||||||
|
+ to_upload = tmp_path / "foo.txt"
|
||||||
|
+
|
||||||
|
+ file = File(
|
||||||
|
+ bytes(to_upload),
|
||||||
|
+ config={
|
||||||
|
+ "UPLOAD_DIR": bytes(upload_dir),
|
||||||
|
+ "UPLOAD_KEEP_FILENAME": True,
|
||||||
|
+ "UPLOAD_KEEP_EXTENSIONS": True,
|
||||||
|
+ "MAX_MEMORY_FILE_SIZE": 10,
|
||||||
|
+ },
|
||||||
|
+ )
|
||||||
|
+ file.write(b"123456789012")
|
||||||
|
+ assert not file.in_memory
|
||||||
|
+ assert Path(upload_dir / "foo.txt").exists()
|
||||||
|
+ assert Path(upload_dir / "foo.txt").read_bytes() == b"123456789012"
|
||||||
@@ -2,6 +2,7 @@ SUMMARY = "A streaming multipart parser for Python"
|
|||||||
LICENSE = "Apache-2.0"
|
LICENSE = "Apache-2.0"
|
||||||
LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3d98f0d58b28321924a89ab60c82410e"
|
LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3d98f0d58b28321924a89ab60c82410e"
|
||||||
|
|
||||||
|
SRC_URI += "file://CVE-2026-24486.patch"
|
||||||
SRC_URI[sha256sum] = "8dd0cab45b8e23064ae09147625994d090fa46f5b0d1e13af944c331a7fa9d13"
|
SRC_URI[sha256sum] = "8dd0cab45b8e23064ae09147625994d090fa46f5b0d1e13af944c331a7fa9d13"
|
||||||
|
|
||||||
inherit pypi python_hatchling ptest-python-pytest
|
inherit pypi python_hatchling ptest-python-pytest
|
||||||
|
|||||||
Reference in New Issue
Block a user