Because of #885165, it maybe possible for a remote attacker to man in the middle the connection and provide back a bucket with a filename which includes "/" and or ".." in the file-name. The 'local' file-name for a downloaded image is determined by the static method _download_file. [0] The _download_file method will not block directory traversal and will download the image file to the 'local_filename' location through the key.get_contents_to_filename call. The get_contents_to_filename method will open a file at the 'local_filename' location through the following code(which is found in boto/s3/key.py):
Because of #885165, it maybe possible for a remote attacker to man in the middle the connection and provide back a bucket with a filename which includes "/" and or ".." in the file-name. The 'local' file-name for a downloaded image is determined by the static method _download_file. [0] The _download_file method will not block directory traversal and will download the image file to the 'local_filename' location through the key.get_ contents_ to_filename call. The get_contents_ to_filename method will open a file at the 'local_filename' location through the following code(which is found in boto/s3/key.py):
def get_contents_ to_filename( self, filename, headers=None,
...
fp = open(filename, 'wb')
[0] file(bucket, filename, local_dir): get_key( filename)
local_ filename = os.path. join(local_ dir, filename)
key.get_ contents_ to_filename( local_filename)
@staticmethod
def _download_
key = bucket.
return local_filename