yasirarism/pyrofork
1
0
Fork 0
mirror of https://github.com/Mayuri-Chan/pyrofork.git synced 2025-12-29 12:04:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

pyrofork: fix(security): sanitize file names to prevent CWE-22 path traversal

Browse source 
Signed-off-by: wulan17 <wulan17@komodos.id>
This commit is contained in:
yueyueL 2025-12-11 01:11:05 +07:00 committed by wulan17
parent e9c40679d2
commit 2f2d515575
No known key found for this signature in database
GPG key ID: 737814D4B5FF0420
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
pyrogram/methods/messages/download_media.py
View file

@ -150,6 +150,17 @@ class DownloadMedia:
directory, file_name = os.path.split(file_name) directory, file_name = os.path.split(file_name)
file_name = file_name or media_file_name or "" file_name = file_name or media_file_name or ""
# Sanitize file name
# CWE-22: Path Traversal
if file_name:
# Remove any path components, keeping only the basename
file_name = os.path.basename(file_name)
# Remove null bytes which could cause issues
file_name = file_name.replace('\x00', '')
# Handle edge cases
if not file_name or file_name in ('.', '..'):
file_name = ""
if not os.path.isabs(file_name): if not os.path.isabs(file_name):
directory = self.PARENT_DIR / (directory or DEFAULT_DOWNLOAD_DIR) directory = self.PARENT_DIR / (directory or DEFAULT_DOWNLOAD_DIR)