Comment 0 for bug 885167

Because of #885165, it maybe possible for a remote attacker to man in the middle the connection and provide back a bucket with a filename which includes "/" and or ".." in the file-name. The 'local' file-name for a downloaded image is determined by the static method _download_file. [0] The _download_file method will not block directory traversal and will download the image file to the 'local_filename' location through the key.get_contents_to_filename call. The get_contents_to_filename method will open a file at the 'local_filename' location through the following code(which is found in boto/s3/key.py):

  def get_contents_to_filename(self, filename, headers=None,
      ...
     fp = open(filename, 'wb')

[0]
    @staticmethod
    def _download_file(bucket, filename, local_dir):
        key = bucket.get_key(filename)
        local_filename = os.path.join(local_dir, filename)
        key.get_contents_to_filename(local_filename)
        return local_filename