Bug report

The function uu.decode is vulnerable to trivial directory traversal if no output filename is given. An uu-encoded file with a path starting with a repetition of ../../ or a / allows writing a file to an arbitrary location on the filesystem.

I reported this tosecurity@python.org and was asked to report it publicly as the function is rarely used and removal is planned anyway for Python 3.13.

Your environment

CPython versions tested on: 3.10.8
Operating system and architecture: Linux

example files

Case 1:

begin 644 ../../../../../../../../tmp/test1$86)C"@```end

Case 2:

begin 644 /tmp/test2$86)C"@```end

Linked PRs

• gh-99889: Fix directory traversal security flaw in uu.decode() #104096
• [3.11] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096) #104329
• [3.10] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096) #104330
• [3.9] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096) #104331
• [3.8] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096) #104332
• [3.7] gh-99889: Fix directory traversal security flaw in uu.decode() (GH-104096) #104333