From 369bfe1a2a8300aee2dc8acb58b8685f4f7a40e8 Mon Sep 17 00:00:00 2001
From: Lonami Exo <totufals@hotmail.com>
Date: Sun, 19 Oct 2025 19:24:03 +0200
Subject: [PATCH] Fix path traversal when downloading documents

Closes #4713.
---
 telethon/client/downloads.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/telethon/client/downloads.py b/telethon/client/downloads.py
index a3e7dd41..07514324 100644
--- a/telethon/client/downloads.py
+++ b/telethon/client/downloads.py
@@ -1054,8 +1054,11 @@ class DownloadMethods:
 
         if os.path.isdir(file) or not file:
             try:
+                isreserved = getattr(os.path, 'isreserved', lambda _: False)  # Python 3.13 and above
                 name = None if possible_names is None else next(
-                    x for x in possible_names if x
+                    x  # basename to prevent path traversal (#4713)
+                    for x in map(os.path.basename, possible_names)
+                    if x and not isreserved(x)
                 )
             except StopIteration:
                 name = None