From 0d8d30b7ddfe83ab03120f4560c7aa153f4d0ed1 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Fri, 8 Aug 2014 10:20:08 -0400 Subject: Fixed #23157 -- Removed O(n) algorithm when uploading duplicate file names. This is a security fix. Disclosure following shortly. --- docs/ref/files/storage.txt | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'docs/ref') diff --git a/docs/ref/files/storage.txt b/docs/ref/files/storage.txt index 1d2c31972e..3200ec3914 100644 --- a/docs/ref/files/storage.txt +++ b/docs/ref/files/storage.txt @@ -112,6 +112,18 @@ The Storage Class available for new content to be written to on the target storage system. + .. versionchanged:: 1.7 + + If a file with ``name`` already exists, an underscore plus a random 7 + character alphanumeric string is appended to the filename before the + extension. + + Previously, an underscore followed by a number (e.g. ``"_1"``, ``"_2"``, + etc.) was appended to the filename until an avaible name in the + destination directory was found. A malicious user could exploit this + deterministic algorithm to create a denial-of-service attack. This + change was also made in Django 1.6.6, 1.5.9, and 1.4.14. + .. method:: get_valid_name(name) Returns a filename based on the ``name`` parameter that's suitable -- cgit v1.3