fix(security): sanitize file names to prevent path traversal

SpEcHiDe · SpEcHiDe · commit fe83e1552d7f · 2025-12-12T17:49:33.000+01:00
Ref: Mayuri-Chan/pyrofork@2f2d515
diff --git a/pyrogram/client.py b/pyrogram/client.py
@@ -1021,7 +1021,8 @@ async def handle_download(self, packet):
         file_id, directory, file_name, in_memory, file_size, progress, progress_args = packet
 
         os.makedirs(directory, exist_ok=True) if not in_memory else None
-        temp_file_path = os.path.abspath(re.sub("\\\\", "/", os.path.join(directory, file_name))) + ".temp"
+        mcfn = re.sub("\\\\", "/", os.path.join(directory, file_name))
+        temp_file_path = os.path.abspath(mcfn) + ".temp"
         file = BytesIO() if in_memory else open(temp_file_path, "wb")
 
         try:
diff --git a/pyrogram/methods/messages/download_media.py b/pyrogram/methods/messages/download_media.py
@@ -248,7 +248,8 @@ async def progress(current, total):
                     directory = self.PARENT_DIR / (directory or DEFAULT_DOWNLOAD_DIR)
 
                 os.makedirs(directory, exist_ok=True) if not in_memory else None
-                temp_file_path = os.path.abspath(re.sub("\\\\", "/", os.path.join(directory, file_name)))
+                mcfn = re.sub("\\\\", "/", os.path.join(directory, file_name))
+                temp_file_path = os.path.abspath(mcfn)
 
                 with open(temp_file_path, "wb") as file:
                     file.write(thumb.getbuffer())
@@ -269,6 +270,16 @@ async def progress(current, total):
             mime_type = getattr(media, "mime_type", "")
             date = getattr(media, "date", None)
 
+            # CWE-22: Path Traversal: sanitize file name
+            if media_file_name:
+                # Remove any path components, keeping only the basename
+                media_file_name = os.path.basename(media_file_name)
+                # Remove null bytes which could cause issues
+                media_file_name = media_file_name.replace("\x00", "")
+                # Handle edge cases
+                if not media_file_name or media_file_name in (".", ".."):
+                    media_file_name = ""
+
             directory, file_name = os.path.split(file_name)
             # TODO
             file_name = file_name or media_file_name or ""
