Fix path traversal when downloading documents

Closes #4713.
2025-12-03 08:13:53 +03:00 · 2025-10-19 19:24:03 +02:00 · 2025-10-19 19:24:03 +02:00 · 369bfe1a2a
commit 369bfe1a2a
parent baf35e9e7e
1 changed files with 4 additions and 1 deletions
--- a/telethon/client/downloads.py
+++ b/telethon/client/downloads.py
@ -1054,8 +1054,11 @@ class DownloadMethods:

        if os.path.isdir(file) or not file:
            try:
+                isreserved = getattr(os.path, 'isreserved', lambda _: False)  # Python 3.13 and above
                name = None if possible_names is None else next(
-                    x for x in possible_names if x
+                    x  # basename to prevent path traversal (#4713)
+                    for x in map(os.path.basename, possible_names)
+                    if x and not isreserved(x)
                )
            except StopIteration:
                name = None