Compare commits
4 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| ae1dafb1ed | |||
| 8d1ca08880 | |||
| 35e7129221 | |||
| 9f9dfc125a |
@@ -1,58 +0,0 @@
|
|||||||
From 9433f4bbc9652bdde82bbe380984e32f8cfc89c4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Marcelo Trylesinski <marcelotryle@gmail.com>
|
|
||||||
Date: Sun, 25 Jan 2026 10:37:09 +0100
|
|
||||||
Subject: [PATCH] Merge commit from fork
|
|
||||||
|
|
||||||
---
|
|
||||||
python_multipart/multipart.py | 4 +++-
|
|
||||||
tests/test_file.py | 26 ++++++++++++++++++++++++++
|
|
||||||
2 files changed, 29 insertions(+), 1 deletion(-)
|
|
||||||
create mode 100644 tests/test_file.py
|
|
||||||
|
|
||||||
diff --git a/python_multipart/multipart.py b/python_multipart/multipart.py
|
|
||||||
index 0cc4c82..1489b7a 100644
|
|
||||||
--- a/python_multipart/multipart.py
|
|
||||||
+++ b/python_multipart/multipart.py
|
|
||||||
@@ -375,7 +375,9 @@ def __init__(self, file_name: bytes | None, field_name: bytes | None = None, con
|
|
||||||
|
|
||||||
# Split the extension from the filename.
|
|
||||||
if file_name is not None:
|
|
||||||
- base, ext = os.path.splitext(file_name)
|
|
||||||
+ # Extract just the basename to avoid directory traversal
|
|
||||||
+ basename = os.path.basename(file_name)
|
|
||||||
+ base, ext = os.path.splitext(basename)
|
|
||||||
self._file_base = base
|
|
||||||
self._ext = ext
|
|
||||||
|
|
||||||
diff --git a/tests/test_file.py b/tests/test_file.py
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..4d65232
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/test_file.py
|
|
||||||
@@ -0,0 +1,26 @@
|
|
||||||
+from pathlib import Path
|
|
||||||
+
|
|
||||||
+from python_multipart.multipart import File
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path):
|
|
||||||
+ upload_dir = tmp_path / "upload"
|
|
||||||
+ upload_dir.mkdir()
|
|
||||||
+
|
|
||||||
+ # When the file_name provided has a leading slash, we should only use the basename.
|
|
||||||
+ # This is to avoid directory traversal.
|
|
||||||
+ to_upload = tmp_path / "foo.txt"
|
|
||||||
+
|
|
||||||
+ file = File(
|
|
||||||
+ bytes(to_upload),
|
|
||||||
+ config={
|
|
||||||
+ "UPLOAD_DIR": bytes(upload_dir),
|
|
||||||
+ "UPLOAD_KEEP_FILENAME": True,
|
|
||||||
+ "UPLOAD_KEEP_EXTENSIONS": True,
|
|
||||||
+ "MAX_MEMORY_FILE_SIZE": 10,
|
|
||||||
+ },
|
|
||||||
+ )
|
|
||||||
+ file.write(b"123456789012")
|
|
||||||
+ assert not file.in_memory
|
|
||||||
+ assert Path(upload_dir / "foo.txt").exists()
|
|
||||||
+ assert Path(upload_dir / "foo.txt").read_bytes() == b"123456789012"
|
|
||||||
@@ -1,7 +1,14 @@
|
|||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Jan 27 09:01:01 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
|
Mon Jan 26 08:21:39 UTC 2026 - Dirk Müller <dmueller@suse.com>
|
||||||
|
|
||||||
- Add CVE-2026-24486.patch to fix CVE-2026-24486 (bsc#1257301)
|
- update to 0.0.22:
|
||||||
|
* Drop directory path from filename in `File` 9433f4b.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Sun Dec 28 19:46:11 UTC 2025 - Dirk Müller <dmueller@suse.com>
|
||||||
|
|
||||||
|
- update to 0.0.21:
|
||||||
|
* Add support for Python 3.14 and drop EOL 3.8 and 3.9 #216.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Feb 4 17:06:23 UTC 2025 - Dirk Müller <dmueller@suse.com>
|
Tue Feb 4 17:06:23 UTC 2025 - Dirk Müller <dmueller@suse.com>
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package python-python-multipart
|
# spec file for package python-python-multipart
|
||||||
#
|
#
|
||||||
# Copyright (c) 2025 SUSE LLC
|
# Copyright (c) 2026 SUSE LLC and contributors
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@@ -18,14 +18,12 @@
|
|||||||
|
|
||||||
%{?sle15_python_module_pythons}
|
%{?sle15_python_module_pythons}
|
||||||
Name: python-python-multipart
|
Name: python-python-multipart
|
||||||
Version: 0.0.20
|
Version: 0.0.22
|
||||||
Release: 0
|
Release: 0
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
Summary: Python streaming multipart parser
|
Summary: Python streaming multipart parser
|
||||||
URL: http://github.com/Kludex/python-multipart
|
URL: http://github.com/Kludex/python-multipart
|
||||||
Source: https://files.pythonhosted.org/packages/source/p/python-multipart/python_multipart-%{version}.tar.gz
|
Source: https://files.pythonhosted.org/packages/source/p/python-multipart/python_multipart-%{version}.tar.gz
|
||||||
# PATCH-FIX-UPSTREAM CVE-2026-24486.patch bsc#1257301 gh#Kludex/python-multipart@9433f4b
|
|
||||||
Patch0: CVE-2026-24486.patch
|
|
||||||
BuildRequires: %{python_module hatchling}
|
BuildRequires: %{python_module hatchling}
|
||||||
BuildRequires: %{python_module pip}
|
BuildRequires: %{python_module pip}
|
||||||
BuildRequires: %{python_module wheel}
|
BuildRequires: %{python_module wheel}
|
||||||
|
|||||||
BIN
python_multipart-0.0.20.tar.gz
LFS
BIN
python_multipart-0.0.20.tar.gz
LFS
Binary file not shown.
3
python_multipart-0.0.22.tar.gz
Normal file
3
python_multipart-0.0.22.tar.gz
Normal file
@@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:7340bef99a7e0032613f56dc36027b959fd3b30a787ed62d310e951f7c3a3a58
|
||||||
|
size 37612
|
||||||
Reference in New Issue
Block a user