From 3a700b5b8b53606fd98ef8294a56f9510f7290f8 Mon Sep 17 00:00:00 2001
From: Aarni Koskela <akx@iki.fi>
Date: Wed, 28 Apr 2021 10:33:40 +0300
Subject: [PATCH 1/2] Run locale identifiers through `os.path.basename()`

---
 babel/localedata.py      |  2 ++
 tests/test_localedata.py | 30 +++++++++++++++++++++++++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/babel/localedata.py b/babel/localedata.py
index f4771d1fd..11085490a 100644
--- a/babel/localedata.py
+++ b/babel/localedata.py
@@ -47,6 +47,7 @@ def exists(name):
     """
     if not name or not isinstance(name, string_types):
         return False
+    name = os.path.basename(name)
     if name in _cache:
         return True
     file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name))
@@ -102,6 +103,7 @@ def load(name, merge_inherited=True):
     :raise `IOError`: if no locale data file is found for the given locale
                       identifer, or one of the locales it inherits from
     """
+    name = os.path.basename(name)
     _cache_lock.acquire()
     try:
         data = _cache.get(name)
diff --git a/tests/test_localedata.py b/tests/test_localedata.py
index 83cd66994..9cb4282e4 100644
--- a/tests/test_localedata.py
+++ b/tests/test_localedata.py
@@ -11,11 +11,17 @@
 # individuals. For the exact contribution history, see the revision
 # history and logs, available at http://babel.edgewall.org/log/.
 
+import os
+import pickle
+import sys
+import tempfile
 import unittest
 import random
 from operator import methodcaller
 
-from babel import localedata
+import pytest
+
+from babel import localedata, Locale, UnknownLocaleError
 
 
 class MergeResolveTestCase(unittest.TestCase):
@@ -131,3 +137,25 @@ def listdir_spy(*args):
     localedata.locale_identifiers.cache = None
     assert localedata.locale_identifiers()
     assert len(listdir_calls) == 2
+
+
+def test_locale_name_cleanup():
+    """
+    Test that locale identifiers are cleaned up to avoid directory traversal.
+    """
+    no_exist_name = os.path.join(tempfile.gettempdir(), "babel%d.dat" % random.randint(1, 99999))
+    with open(no_exist_name, "wb") as f:
+        pickle.dump({}, f)
+
+    try:
+        name = os.path.splitext(os.path.relpath(no_exist_name, localedata._dirname))[0]
+    except ValueError:
+        if sys.platform == "win32":
+            pytest.skip("unable to form relpath")
+        raise
+
+    assert not localedata.exists(name)
+    with pytest.raises(IOError):
+        localedata.load(name)
+    with pytest.raises(UnknownLocaleError):
+        Locale(name)

From 5caf717ceca4bd235552362b4fbff88983c75d8c Mon Sep 17 00:00:00 2001
From: Aarni Koskela <akx@iki.fi>
Date: Wed, 28 Apr 2021 11:47:42 +0300
Subject: [PATCH 2/2] Disallow special filenames on Windows

---
 babel/localedata.py      | 24 +++++++++++++++++++++---
 tests/test_localedata.py |  9 +++++++++
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/babel/localedata.py b/babel/localedata.py
index 11085490a..782b7afa0 100644
--- a/babel/localedata.py
+++ b/babel/localedata.py
@@ -13,6 +13,8 @@
 """
 
 import os
+import re
+import sys
 import threading
 from itertools import chain
 
@@ -22,6 +24,7 @@
 _cache = {}
 _cache_lock = threading.RLock()
 _dirname = os.path.join(os.path.dirname(__file__), 'locale-data')
+_windows_reserved_name_re = re.compile("^(con|prn|aux|nul|com[0-9]|lpt[0-9])$", re.I)
 
 
 def normalize_locale(name):
@@ -38,6 +41,22 @@ def normalize_locale(name):
             return locale_id
 
 
+def resolve_locale_filename(name):
+    """
+    Resolve a locale identifier to a `.dat` path on disk.
+    """
+
+    # Clean up any possible relative paths.
+    name = os.path.basename(name)
+
+    # Ensure we're not left with one of the Windows reserved names.
+    if sys.platform == "win32" and _windows_reserved_name_re.match(os.path.splitext(name)[0]):
+        raise ValueError("Name %s is invalid on Windows" % name)
+
+    # Build the path.
+    return os.path.join(_dirname, '%s.dat' % name)
+
+
 def exists(name):
     """Check whether locale data is available for the given locale.
 
@@ -47,10 +66,9 @@ def exists(name):
     """
     if not name or not isinstance(name, string_types):
         return False
-    name = os.path.basename(name)
     if name in _cache:
         return True
-    file_found = os.path.exists(os.path.join(_dirname, '%s.dat' % name))
+    file_found = os.path.exists(resolve_locale_filename(name))
     return True if file_found else bool(normalize_locale(name))
 
 
@@ -121,7 +139,7 @@ def load(name, merge_inherited=True):
                     else:
                         parent = '_'.join(parts[:-1])
                 data = load(parent).copy()
-            filename = os.path.join(_dirname, '%s.dat' % name)
+            filename = resolve_locale_filename(name)
             with open(filename, 'rb') as fileobj:
                 if name != 'root' and merge_inherited:
                     merge(data, pickle.load(fileobj))
diff --git a/tests/test_localedata.py b/tests/test_localedata.py
index 9cb4282e4..c852c1b69 100644
--- a/tests/test_localedata.py
+++ b/tests/test_localedata.py
@@ -159,3 +159,12 @@ def test_locale_name_cleanup():
         localedata.load(name)
     with pytest.raises(UnknownLocaleError):
         Locale(name)
+
+
+@pytest.mark.skipif(sys.platform != "win32", reason="windows-only test")
+def test_reserved_locale_names():
+    for name in ("con", "aux", "nul", "prn", "com8", "lpt5"):
+        with pytest.raises(ValueError):
+            localedata.load(name)
+        with pytest.raises(ValueError):
+            Locale(name)