diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2021-04-14 18:23:44 +0200 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2021-05-04 08:43:52 +0200 |
| commit | c98f446c188596d4ba6de71d1b77b4a6c5c2a007 (patch) | |
| tree | 88c04654a0a355813023a5fd2920d16100294666 /tests/utils_tests | |
| parent | 8e1900d4f37c85dfec35fbc785d891dc775fc15f (diff) | |
[3.2.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.
Diffstat (limited to 'tests/utils_tests')
| -rw-r--r-- | tests/utils_tests/test_text.py | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py index 1b6bfc0b8e..d2a94fcdab 100644 --- a/tests/utils_tests/test_text.py +++ b/tests/utils_tests/test_text.py @@ -1,6 +1,7 @@ import json import sys +from django.core.exceptions import SuspiciousFileOperation from django.test import SimpleTestCase, ignore_warnings from django.utils import text from django.utils.deprecation import RemovedInDjango40Warning @@ -255,6 +256,13 @@ class TestUtilsText(SimpleTestCase): filename = "^&'@{}[],$=!-#()%+~_123.txt" self.assertEqual(text.get_valid_filename(filename), "-_123.txt") self.assertEqual(text.get_valid_filename(lazystr(filename)), "-_123.txt") + msg = "Could not derive file name from '???'" + with self.assertRaisesMessage(SuspiciousFileOperation, msg): + text.get_valid_filename('???') + # After sanitizing this would yield '..'. + msg = "Could not derive file name from '$.$.$'" + with self.assertRaisesMessage(SuspiciousFileOperation, msg): + text.get_valid_filename('$.$.$') def test_compress_sequence(self): data = [{'key': i} for i in range(10)] |
