summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2014-08-08 10:20:08 -0400
committerTim Graham <timograham@gmail.com>2014-08-20 14:42:48 -0400
commit3123f8452cf49071be9110e277eea60ba0032216 (patch)
treed8c2b01ca397f504cf27e1ee23b38c8ca1679cfb /docs/ref
parentbf650a2ee78c6d1f4544a875dcc777cf27fe93e9 (diff)
[1.7.x] Fixed #23157 -- Removed O(n) algorithm when uploading duplicate file names.
This is a security fix. Disclosure following shortly.
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/files/storage.txt12
1 files changed, 12 insertions, 0 deletions
diff --git a/docs/ref/files/storage.txt b/docs/ref/files/storage.txt
index 1d2c31972e..3200ec3914 100644
--- a/docs/ref/files/storage.txt
+++ b/docs/ref/files/storage.txt
@@ -112,6 +112,18 @@ The Storage Class
available for new content to be written to on the target storage
system.
+ .. versionchanged:: 1.7
+
+ If a file with ``name`` already exists, an underscore plus a random 7
+ character alphanumeric string is appended to the filename before the
+ extension.
+
+ Previously, an underscore followed by a number (e.g. ``"_1"``, ``"_2"``,
+ etc.) was appended to the filename until an avaible name in the
+ destination directory was found. A malicious user could exploit this
+ deterministic algorithm to create a denial-of-service attack. This
+ change was also made in Django 1.6.6, 1.5.9, and 1.4.14.
+
.. method:: get_valid_name(name)
Returns a filename based on the ``name`` parameter that's suitable