pyrofork: fix(security): sanitize file names to prevent CWE-22 path traversal

yueyueL · wulan17 · commit 2f2d515575cc · 2025-12-11T01:28:01.000+07:00
Signed-off-by: wulan17 &lt;wulan17@komodos.id&gt;
diff --git a/pyrogram/methods/messages/download_media.py b/pyrogram/methods/messages/download_media.py
@@ -150,6 +150,17 @@ async def progress(current, total):
 directory, file_name = os.path.split(file_name)
 file_name = file_name or media_file_name or ""
 
+ # Sanitize file name
+ # CWE-22: Path Traversal
+ if file_name:
+ # Remove any path components, keeping only the basename
+ file_name = os.path.basename(file_name)
+ # Remove null bytes which could cause issues
+ file_name = file_name.replace('\x00', '')
+ # Handle edge cases
+ if not file_name or file_name in ('.', '..'):
+ file_name = ""
+
 if not os.path.isabs(file_name):
 directory = self.PARENT_DIR / (directory or DEFAULT_DOWNLOAD_DIR)
 

-Original file line number
+Diff line change
 directory, file_name=os.path.split(file_name)
 file_name=file_nameormedia_file_nameor""
 +# Sanitize file name
 +# CWE-22: Path Traversal
 +iffile_name:
 +# Remove any path components, keeping only the basename
 +file_name=os.path.basename(file_name)
 +# Remove null bytes which could cause issues
 +file_name=file_name.replace('\x00', '')
 +# Handle edge cases
 +ifnotfile_nameorfile_namein ('.', '..'):
 +file_name=""
++
 ifnotos.path.isabs(file_name):
 directory=self.PARENT_DIR/ (directoryorDEFAULT_DOWNLOAD_DIR)