[3.0.x] Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files.

Thanks Claude Paroz for the initial patch.
Thanks Dennis Brinkrolf for the report.

Backport of d4d800ca1addc4141e03c5440a849bb64d1582cd from main.

1 files changed, 31 insertions, 0 deletions

diff --git a/tests/file_uploads/uploadhandler.py b/tests/file_uploads/uploadhandler.py
index 7c6199fd16..65d70c648c 100644
--- a/tests/file_uploads/uploadhandler.py
+++ b/tests/file_uploads/uploadhandler.py
@@ -1,6 +1,8 @@
 """
 Upload handlers to test the upload API.
 """
+import os
+from tempfile import NamedTemporaryFile
 
 from django.core.files.uploadhandler import FileUploadHandler, StopUpload
 
@@ -35,3 +37,32 @@ class ErroringUploadHandler(FileUploadHandler):
     """A handler that raises an exception."""
     def receive_data_chunk(self, raw_data, start):
         raise CustomUploadError("Oops!")
+
+
+class TraversalUploadHandler(FileUploadHandler):
+    """A handler with potential directory-traversal vulnerability."""
+    def __init__(self, request=None):
+        from .views import UPLOAD_TO
+
+        super().__init__(request)
+        self.upload_dir = UPLOAD_TO
+
+    def file_complete(self, file_size):
+        self.file.seek(0)
+        self.file.size = file_size
+        with open(os.path.join(self.upload_dir, self.file_name), 'wb') as fp:
+            fp.write(self.file.read())
+        return self.file
+
+    def new_file(
+        self, field_name, file_name, content_type, content_length, charset=None,
+        content_type_extra=None,
+    ):
+        super().new_file(
+            file_name, file_name, content_length, content_length, charset,
+            content_type_extra,
+        )
+        self.file = NamedTemporaryFile(suffix='.upload', dir=self.upload_dir)
+
+    def receive_data_chunk(self, raw_data, start):
+        self.file.write(raw_data)