Merge pull request #6418 from gzpan123/master

FIX #6413 pip install <url> allow directory traversal
author: Chris Jerdonek <chris.jerdonek@gmail.com> 2019-06-11 01:11:42 -0700
committer: GitHub <noreply@github.com> 2019-06-11 01:11:42 -0700
commit: 5776ddd05896162e283737d7fcdf8f5a63a97bbc (patch)
tree: 31489e9937b6a68ac8d94caee665b3b1685c4efe /news
parent: 148519396d2c66fd653805546f6356525bfa6eae (diff)
parent: a4c735b14a62f9cb864533808ac63936704f2ace (diff)
download: pip-5776ddd05896162e283737d7fcdf8f5a63a97bbc.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/news/6413.bugfix b/news/6413.bugfix
new file mode 100644
index 000000000..68d0a72f6
--- /dev/null
+++ b/news/6413.bugfix
@@ -0,0 +1,3 @@
+Prevent ``pip install <url>`` from permitting directory traversal if e.g.
+a malicious server sends a ``Content-Disposition`` header with a filename
+containing ``../`` or ``..\\``.
author	Chris Jerdonek <chris.jerdonek@gmail.com>	2019-06-11 01:11:42 -0700
committer	GitHub <noreply@github.com>	2019-06-11 01:11:42 -0700
commit	5776ddd05896162e283737d7fcdf8f5a63a97bbc (patch)
tree	31489e9937b6a68ac8d94caee665b3b1685c4efe /news
parent	148519396d2c66fd653805546f6356525bfa6eae (diff)
parent	a4c735b14a62f9cb864533808ac63936704f2ace (diff)
download	pip-5776ddd05896162e283737d7fcdf8f5a63a97bbc.tar.gz