Python-Multipart Path Traversal Vulnerability Allowing Arbitrary File Write

A path traversal vulnerability allowing arbitrary file writes has been identified in Python-Multipart versions prior to 0.0.22. This issue arises when the `UPLOAD_DIR` option is set and `UPLOAD_KEEP_FILENAME` is enabled. Under these conditions, an attacker can craft a filename that exploits the way file paths are constructed, bypassing the intended upload directory and writing files to arbitrary locations on the filesystem. The vulnerability is triggered when the uploaded file exceeds the `MAX_MEMORY_FILE_SIZE` limit, causing it to be flushed to disk.

Impact

Exploitation of this vulnerability allows for arbitrary file writes to locations controlled by the attacker on the filesystem.

Reproduction

To reproduce this vulnerability, configure Python-Multipart with a custom upload directory (`UPLOAD_DIR`) and set `UPLOAD_KEEP_FILENAME` to true. Upload a file with a filename that includes a leading slash, which will be interpreted as an absolute path, allowing the file to be written outside the intended directory.

Remediation

Users should upgrade to Python-Multipart version 0.0.22 or later. If an upgrade is not possible, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.