Share
## https://sploitus.com/exploit?id=8E6925DF-57A1-57F0-89BC-D5C7DCF68390
# Intro
 Python 3.11 through 3.11.4, there's a problem with the os.path.normpath() function where you can cut off the path unexpectedly with `normpath()`.

 ### What is `normpath()`?

 *os.path.normpath()* method in Python is used to normalize the specified path. All redundant separator and up-level references are collapsed in the process of path normalization. 
 For example: A//B, A/B/, A/./B and A/foo/../B all will be normalized to A/B. 
 - [GeekforGeeks](https://www.geeksforgeeks.org/python-os-path-normpath-method/)


# PoC
Let's break down `example.py` to understand whats what

Importing the bult in function `path`.
```python
from os import path
```

normalizing the path but we add `\0` at first
```python
normalized_path = path.normpath('\0')
```

here we print the new path
```python
print(normalized_path)
```

and output will be

![image](https://github.com/JawadPy/CVE-2023-41105-Exploit/assets/98477272/4f684e43-21e4-47bc-9184-b12d22d6d2e9)


Now instead of using `\0` I will replace it with `\0\images\anything.png`

![image](https://github.com/JawadPy/CVE-2023-41105-Exploit/assets/98477272/3e7bbae4-75c0-4e8f-8aa5-4de5e563f264)

This directly switching the path to root path instead of normalize the specified path. It's for sure critical when it comes to websites and so on...

# Support
If you would like to support me with donation, I recommend you to give it to someone who really need it please. If you do so then consider that i earned your support.

<a href="https://www.buymeacoffee.com/jawadpy" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/v2/default-green.png" alt="Buy Me A Coffee" style="height: 60px !important;width: 217px !important;" ></a>