Arbitrary File Write in Apple CFNetwork

This repository is a small standalone Python proof-of-concept bundle for CVE-2026-20660, described as a CFNetwork NSGZipDecoder path traversal issue affecting vulnerable macOS Safari when 'Open safe files after downloading' is enabled. The repo contains two executable Python servers and a README. The main file, server.py, implements an HTTP server that serves a landing page at '/' and a crafted gzip payload at '/download'. Its core capability is generating a valid gzip stream with an attacker-controlled FNAME field in the gzip header via make_gzip_with_fname(). The exploit intentionally keeps the HTTP Content-Disposition filename benign ('report.gz') while embedding traversal sequences like '../' repeated by a configurable depth, or a user-supplied absolute path, in the gzip FNAME. The served payload is a text proof file showing timestamp and chosen FNAME, demonstrating arbitrary file write outside the intended download directory if the target browser auto-opens the archive. The second file, server_overwrite.py, is a narrower variant that imports the gzip builder from server.py and hardcodes a shell script payload plus FNAME '../../pwn.sh', attempting to place a script in the victim user's home directory. Structurally, the repository is simple: README.md documents prerequisites, usage, validation, and observed behavior; server.py is the primary PoC with configurable bind address, port, traversal depth, and target filename; server_overwrite.py is a specialized overwrite demonstration. This is a real exploit PoC rather than a scanner or detection script, but it remains at proof-of-concept maturity because it demonstrates file write with basic hardcoded content rather than a generalized post-exploitation framework.