2 files changed, 62 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-python-multipart/CVE-2026-24486.patch b/meta-python/recipes-devtools/python/python3-python-multipart/CVE-2026-24486.patch
new file mode 100644
index 0000000000..110737a761
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-python-multipart/CVE-2026-24486.patch
@@ -0,0 +1,61 @@
+From 1194f169d7f6db3b518c40ef703135ffc4015ebe Mon Sep 17 00:00:00 2001
+From: Marcelo Trylesinski <marcelotryle@gmail.com>
+Date: Sun, 25 Jan 2026 10:37:09 +0100
+Subject: [PATCH] Merge commit from fork
+CVE: CVE-2026-24486
+Upstream-Status: Backport [https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ python_multipart/multipart.py |  4 +++-
+ tests/test_file.py            | 26 ++++++++++++++++++++++++++
+ 2 files changed, 29 insertions(+), 1 deletion(-)
+ create mode 100644 tests/test_file.py
+diff --git a/python_multipart/multipart.py b/python_multipart/multipart.py
+index f26a815..7168c96 100644
+--- a/python_multipart/multipart.py
+++ b/python_multipart/multipart.py
+@@ -376,7 +376,9 @@ class File:
+ 
+         # Split the extension from the filename.
+         if file_name is not None:
+-            base, ext = os.path.splitext(file_name)
+            # Extract just the basename to avoid directory traversal
+            basename = os.path.basename(file_name)
+            base, ext = os.path.splitext(basename)
+             self._file_base = base
+             self._ext = ext
+ 
+diff --git a/tests/test_file.py b/tests/test_file.py
+new file mode 100644
+index 0000000..4d65232
+--- /dev/null
+++ b/tests/test_file.py
+@@ -0,0 +1,26 @@
+from pathlib import Path
+
+from python_multipart.multipart import File
+
+
+def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path):
+    upload_dir = tmp_path / "upload"
+    upload_dir.mkdir()
+
+    # When the file_name provided has a leading slash, we should only use the basename.
+    # This is to avoid directory traversal.
+    to_upload = tmp_path / "foo.txt"
+
+    file = File(
+        bytes(to_upload),
+        config={
+            "UPLOAD_DIR": bytes(upload_dir),
+            "UPLOAD_KEEP_FILENAME": True,
+            "UPLOAD_KEEP_EXTENSIONS": True,
+            "MAX_MEMORY_FILE_SIZE": 10,
+        },
+    )
+    file.write(b"123456789012")
+    assert not file.in_memory
+    assert Path(upload_dir / "foo.txt").exists()
+    assert Path(upload_dir / "foo.txt").read_bytes() == b"123456789012"
diff --git a/meta-python/recipes-devtools/python/python3-python-multipart_0.0.20.bb b/meta-python/recipes-devtools/python/python3-python-multipart_0.0.20.bb
index 71f9674ec8..fcb04bac04 100644
--- a/meta-python/recipes-devtools/python/python3-python-multipart_0.0.20.bb
+++ b/meta-python/recipes-devtools/python/python3-python-multipart_0.0.20.bb
@@ -2,6 +2,7 @@ SUMMARY = "A streaming multipart parser for Python"
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3d98f0d58b28321924a89ab60c82410e"
+SRC_URI += "file://CVE-2026-24486.patch"
 SRC_URI[sha256sum] = "8dd0cab45b8e23064ae09147625994d090fa46f5b0d1e13af944c331a7fa9d13"
 inherit pypi python_hatchling ptest-python-pytest

diff --git a/meta-python/recipes-devtools/python/python3-python-multipart/CVE-2026-24486.patch b/meta-python/recipes-devtools/python/python3-python-multipart/CVE-2026-24486.patch new file mode 100644 index 0000000000..110737a761 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-python-multipart/CVE-2026-24486.patch
@@ -0,0 +1,61 @@
		1	From 1194f169d7f6db3b518c40ef703135ffc4015ebe Mon Sep 17 00:00:00 2001
		2	From: Marcelo Trylesinski <marcelotryle@gmail.com>
		3	Date: Sun, 25 Jan 2026 10:37:09 +0100
		4	Subject: [PATCH] Merge commit from fork
		5
		6	CVE: CVE-2026-24486
		7	Upstream-Status: Backport [https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4]
		8	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		9	---
		10	python_multipart/multipart.py \| 4 +++-
		11	tests/test_file.py \| 26 ++++++++++++++++++++++++++
		12	2 files changed, 29 insertions(+), 1 deletion(-)
		13	create mode 100644 tests/test_file.py
		14
		15	diff --git a/python_multipart/multipart.py b/python_multipart/multipart.py
		16	index f26a815..7168c96 100644
		17	--- a/python_multipart/multipart.py
		18	+++ b/python_multipart/multipart.py
		19	@@ -376,7 +376,9 @@ class File:
		20
		21	# Split the extension from the filename.
		22	if file_name is not None:
		23	- base, ext = os.path.splitext(file_name)
		24	+ # Extract just the basename to avoid directory traversal
		25	+ basename = os.path.basename(file_name)
		26	+ base, ext = os.path.splitext(basename)
		27	self._file_base = base
		28	self._ext = ext
		29
		30	diff --git a/tests/test_file.py b/tests/test_file.py
		31	new file mode 100644
		32	index 0000000..4d65232
		33	--- /dev/null
		34	+++ b/tests/test_file.py
		35	@@ -0,0 +1,26 @@
		36	+from pathlib import Path
		37	+
		38	+from python_multipart.multipart import File
		39	+
		40	+
		41	+def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path):
		42	+ upload_dir = tmp_path / "upload"
		43	+ upload_dir.mkdir()
		44	+
		45	+ # When the file_name provided has a leading slash, we should only use the basename.
		46	+ # This is to avoid directory traversal.
		47	+ to_upload = tmp_path / "foo.txt"
		48	+
		49	+ file = File(
		50	+ bytes(to_upload),
		51	+ config={
		52	+ "UPLOAD_DIR": bytes(upload_dir),
		53	+ "UPLOAD_KEEP_FILENAME": True,
		54	+ "UPLOAD_KEEP_EXTENSIONS": True,
		55	+ "MAX_MEMORY_FILE_SIZE": 10,
		56	+ },
		57	+ )
		58	+ file.write(b"123456789012")
		59	+ assert not file.in_memory
		60	+ assert Path(upload_dir / "foo.txt").exists()
		61	+ assert Path(upload_dir / "foo.txt").read_bytes() == b"123456789012"


diff --git a/meta-python/recipes-devtools/python/python3-python-multipart_0.0.20.bb b/meta-python/recipes-devtools/python/python3-python-multipart_0.0.20.bb index 71f9674ec8..fcb04bac04 100644 --- a/meta-python/recipes-devtools/python/python3-python-multipart_0.0.20.bb +++ b/meta-python/recipes-devtools/python/python3-python-multipart_0.0.20.bb
@@ -2,6 +2,7 @@ SUMMARY = "A streaming multipart parser for Python"
2	LICENSE = "Apache-2.0"	2	LICENSE = "Apache-2.0"
3	LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3d98f0d58b28321924a89ab60c82410e"	3	LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3d98f0d58b28321924a89ab60c82410e"
4		4
		5	SRC_URI += "file://CVE-2026-24486.patch"
5	SRC_URI[sha256sum] = "8dd0cab45b8e23064ae09147625994d090fa46f5b0d1e13af944c331a7fa9d13"	6	SRC_URI[sha256sum] = "8dd0cab45b8e23064ae09147625994d090fa46f5b0d1e13af944c331a7fa9d13"
6		7
7	inherit pypi python_hatchling ptest-python-pytest	8	inherit pypi python_hatchling ptest-python-pytest