Remove newline characters from uu encoding methods¶
Filenames passed to the UU encoding methods (uu.py and uu_codec.py) that contain a newline character will overflow data into the UU content section. This can potentially be used to inject replace or corrupt data content in a file during the decode process.
The fix removes newline characters from filenames.
- Disclosure date: 2019-11-30 (Python issue bpo-38945 reported)
- Reported at: 2019-11-28 (PSRT list)
- Reported by: Matthew Rollings
Fixed In¶
- Python 2.7.18 (2020-04-19) fixed by commit a016d4e (branch 2.7) (2019-12-03)
- Python 3.5.10 (2020-09-05) fixed by commit 8835f46 (branch 3.5) (2020-03-21)
- Python 3.6.10 (2019-12-18) fixed by commit 30afc91 (branch 3.6) (2019-12-02)
- Python 3.7.6 (2019-12-18) fixed by commit 87f2d26 (branch 3.7) (2019-12-02)
- Python 3.8.1 (2019-12-18) fixed by commit 8859fc6 (branch 3.8) (2019-12-02)
- Python 3.9.0 (2020-10-05) fixed by commit a62ad47 (branch 3.9) (2019-12-02)
Python issue¶
Remove newline characters from uu encoding methods.
- Python issue: bpo-38945
- Creation date: 2019-11-30
- Reporter: stealthcopter
Timeline¶
Timeline using the disclosure date 2019-11-30 as reference:
- 2019-11-28 (-2 days): Reported (PSRT list)
- 2019-11-30: Python issue bpo-38945 reported by stealthcopter
- 2019-12-02 (+2 days): commit 30afc91 (branch 3.6)
- 2019-12-02 (+2 days): commit 87f2d26 (branch 3.7)
- 2019-12-02 (+2 days): commit 8859fc6 (branch 3.8)
- 2019-12-02 (+2 days): commit a62ad47 (branch 3.9)
- 2019-12-03 (+3 days): commit a016d4e (branch 2.7)
- 2019-12-18 (+18 days): Python 3.6.10 released
- 2019-12-18 (+18 days): Python 3.7.6 released
- 2019-12-18 (+18 days): Python 3.8.1 released
- 2020-03-21 (+112 days): commit 8835f46 (branch 3.5)
- 2020-04-19 (+141 days): Python 2.7.18 released
- 2020-09-05 (+280 days): Python 3.5.10 released
- 2020-10-05: Python 3.9.0 released