From 2f2d515575cc9c360bd74340a61a1d2b1e1f1f95 Mon Sep 17 00:00:00 2001 From: yueyueL <64764840+yueyueL@users.noreply.github.com> Date: Thu, 11 Dec 2025 01:11:05 +0700 Subject: [PATCH] pyrofork: fix(security): sanitize file names to prevent CWE-22 path traversal Signed-off-by: wulan17 --- pyrogram/methods/messages/download_media.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pyrogram/methods/messages/download_media.py b/pyrogram/methods/messages/download_media.py index 6ba62526..212bab71 100644 --- a/pyrogram/methods/messages/download_media.py +++ b/pyrogram/methods/messages/download_media.py @@ -150,6 +150,17 @@ class DownloadMedia: directory, file_name = os.path.split(file_name) file_name = file_name or media_file_name or "" + # Sanitize file name + # CWE-22: Path Traversal + if file_name: + # Remove any path components, keeping only the basename + file_name = os.path.basename(file_name) + # Remove null bytes which could cause issues + file_name = file_name.replace('\x00', '') + # Handle edge cases + if not file_name or file_name in ('.', '..'): + file_name = "" + if not os.path.isabs(file_name): directory = self.PARENT_DIR / (directory or DEFAULT_DOWNLOAD_DIR)