summaryrefslogtreecommitdiff
path: root/tests/utils_tests
diff options
context:
space:
mode:
authorFlorian Apolloner <florian@apolloner.eu>2021-04-14 18:23:44 +0200
committerCarlton Gibson <carlton.gibson@noumenal.es>2021-05-04 08:43:52 +0200
commitc98f446c188596d4ba6de71d1b77b4a6c5c2a007 (patch)
tree88c04654a0a355813023a5fd2920d16100294666 /tests/utils_tests
parent8e1900d4f37c85dfec35fbc785d891dc775fc15f (diff)
[3.2.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.
Diffstat (limited to 'tests/utils_tests')
-rw-r--r--tests/utils_tests/test_text.py8
1 files changed, 8 insertions, 0 deletions
diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py
index 1b6bfc0b8e..d2a94fcdab 100644
--- a/tests/utils_tests/test_text.py
+++ b/tests/utils_tests/test_text.py
@@ -1,6 +1,7 @@
import json
import sys
+from django.core.exceptions import SuspiciousFileOperation
from django.test import SimpleTestCase, ignore_warnings
from django.utils import text
from django.utils.deprecation import RemovedInDjango40Warning
@@ -255,6 +256,13 @@ class TestUtilsText(SimpleTestCase):
filename = "^&'@{}[],$=!-#()%+~_123.txt"
self.assertEqual(text.get_valid_filename(filename), "-_123.txt")
self.assertEqual(text.get_valid_filename(lazystr(filename)), "-_123.txt")
+ msg = "Could not derive file name from '???'"
+ with self.assertRaisesMessage(SuspiciousFileOperation, msg):
+ text.get_valid_filename('???')
+ # After sanitizing this would yield '..'.
+ msg = "Could not derive file name from '$.$.$'"
+ with self.assertRaisesMessage(SuspiciousFileOperation, msg):
+ text.get_valid_filename('$.$.$')
def test_compress_sequence(self):
data = [{'key': i} for i in range(10)]