Path traversal and filename control chars
natronkeltner opened this issue · comments
natronkeltner commented
Looks like 842916d accidentally introduced a path traversal vuln as os.path.pathsep (":") != os.path.sep ("/")
.
In det.py:
filename = "%s.%s" % (fname.replace(
os.path.pathsep, ''), time.strftime("%Y-%m-%d.%H:%M:%S", time.gmtime()))
Also, since you can inject filenames with arbitrary contents, it'd be a good idea to filter the filename to disallow non-ASCII printable characters. Combined with the path traversal, it might be possible to plant a file somewhere that'd abuse globbing ("foo *") in a script somewhere and get RCE out of it. (The tar
example here probably wouldn't work, but maybe one could be found.)