Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-python-multipart for
openSUSE:Factory checked in at 2026-01-27 16:06:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-python-multipart (Old)
and /work/SRC/openSUSE:Factory/.python-python-multipart.new.1928 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-python-multipart"
Tue Jan 27 16:06:51 2026 rev:13 rq:1329161 version:0.0.22
Changes:
--------
---
/work/SRC/openSUSE:Factory/python-python-multipart/python-python-multipart.changes
2025-12-30 12:00:15.092282316 +0100
+++
/work/SRC/openSUSE:Factory/.python-python-multipart.new.1928/python-python-multipart.changes
2026-01-27 16:07:00.444738264 +0100
@@ -1,0 +2,6 @@
+Mon Jan 26 08:21:39 UTC 2026 - Dirk Müller <[email protected]>
+
+- update to 0.0.22:
+ * Drop directory path from filename in `File` 9433f4b.
+
+-------------------------------------------------------------------
Old:
----
python_multipart-0.0.21.tar.gz
New:
----
python_multipart-0.0.22.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-python-multipart.spec ++++++
--- /var/tmp/diff_new_pack.TpdPSx/_old 2026-01-27 16:07:01.184769472 +0100
+++ /var/tmp/diff_new_pack.TpdPSx/_new 2026-01-27 16:07:01.188769641 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python-python-multipart
#
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2026 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
%{?sle15_python_module_pythons}
Name: python-python-multipart
-Version: 0.0.21
+Version: 0.0.22
Release: 0
License: Apache-2.0
Summary: Python streaming multipart parser
++++++ python_multipart-0.0.21.tar.gz -> python_multipart-0.0.22.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/python_multipart-0.0.21/CHANGELOG.md
new/python_multipart-0.0.22/CHANGELOG.md
--- old/python_multipart-0.0.21/CHANGELOG.md 2020-02-02 01:00:00.000000000
+0100
+++ new/python_multipart-0.0.22/CHANGELOG.md 2020-02-02 01:00:00.000000000
+0100
@@ -1,5 +1,9 @@
# Changelog
+## 0.0.22 (2026-01-25)
+
+* Drop directory path from filename in `File`
[9433f4b](https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4).
+
## 0.0.21 (2025-12-17)
* Add support for Python 3.14 and drop EOL 3.8 and 3.9
[#216](https://github.com/Kludex/python-multipart/pull/216).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/python_multipart-0.0.21/PKG-INFO
new/python_multipart-0.0.22/PKG-INFO
--- old/python_multipart-0.0.21/PKG-INFO 2020-02-02 01:00:00.000000000
+0100
+++ new/python_multipart-0.0.22/PKG-INFO 2020-02-02 01:00:00.000000000
+0100
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: python-multipart
-Version: 0.0.21
+Version: 0.0.22
Summary: A streaming multipart parser for Python
Project-URL: Homepage, https://github.com/Kludex/python-multipart
Project-URL: Documentation, https://kludex.github.io/python-multipart/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/python_multipart-0.0.21/python_multipart/__init__.py
new/python_multipart-0.0.22/python_multipart/__init__.py
--- old/python_multipart-0.0.21/python_multipart/__init__.py 2020-02-02
01:00:00.000000000 +0100
+++ new/python_multipart-0.0.22/python_multipart/__init__.py 2020-02-02
01:00:00.000000000 +0100
@@ -2,7 +2,7 @@
__author__ = "Andrew Dunham"
__license__ = "Apache"
__copyright__ = "Copyright (c) 2012-2013, Andrew Dunham"
-__version__ = "0.0.21"
+__version__ = "0.0.22"
from .multipart import (
BaseParser,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/python_multipart-0.0.21/python_multipart/multipart.py
new/python_multipart-0.0.22/python_multipart/multipart.py
--- old/python_multipart-0.0.21/python_multipart/multipart.py 2020-02-02
01:00:00.000000000 +0100
+++ new/python_multipart-0.0.22/python_multipart/multipart.py 2020-02-02
01:00:00.000000000 +0100
@@ -375,7 +375,9 @@
# Split the extension from the filename.
if file_name is not None:
- base, ext = os.path.splitext(file_name)
+ # Extract just the basename to avoid directory traversal
+ basename = os.path.basename(file_name)
+ base, ext = os.path.splitext(basename)
self._file_base = base
self._ext = ext
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/python_multipart-0.0.21/tests/test_file.py
new/python_multipart-0.0.22/tests/test_file.py
--- old/python_multipart-0.0.21/tests/test_file.py 1970-01-01
01:00:00.000000000 +0100
+++ new/python_multipart-0.0.22/tests/test_file.py 2020-02-02
01:00:00.000000000 +0100
@@ -0,0 +1,26 @@
+from pathlib import Path
+
+from python_multipart.multipart import File
+
+
+def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path) -> None:
+ upload_dir = tmp_path / "upload"
+ upload_dir.mkdir()
+
+ # When the file_name provided has a leading slash, we should only use the
basename.
+ # This is to avoid directory traversal.
+ to_upload = tmp_path / "foo.txt"
+
+ file = File(
+ bytes(to_upload),
+ config={
+ "UPLOAD_DIR": bytes(upload_dir),
+ "UPLOAD_KEEP_FILENAME": True,
+ "UPLOAD_KEEP_EXTENSIONS": True,
+ "MAX_MEMORY_FILE_SIZE": 10,
+ },
+ )
+ file.write(b"123456789012")
+ assert not file.in_memory
+ assert Path(upload_dir / "foo.txt").exists()
+ assert Path(upload_dir / "foo.txt").read_bytes() == b"123456789012"
