From 0b79eb36915d178aef5c6a7bbce71b1e76d376d3 Mon Sep 17 00:00:00 2001 From: Florian Apolloner Date: Wed, 14 Apr 2021 18:23:44 +0200 Subject: Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. --- tests/utils_tests/test_text.py | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'tests/utils_tests') diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py index c9c74521e3..852a7970ee 100644 --- a/tests/utils_tests/test_text.py +++ b/tests/utils_tests/test_text.py @@ -1,6 +1,7 @@ import json import sys +from django.core.exceptions import SuspiciousFileOperation from django.test import SimpleTestCase from django.utils import text from django.utils.functional import lazystr @@ -228,6 +229,13 @@ class TestUtilsText(SimpleTestCase): filename = "^&'@{}[],$=!-#()%+~_123.txt" self.assertEqual(text.get_valid_filename(filename), "-_123.txt") self.assertEqual(text.get_valid_filename(lazystr(filename)), "-_123.txt") + msg = "Could not derive file name from '???'" + with self.assertRaisesMessage(SuspiciousFileOperation, msg): + text.get_valid_filename('???') + # After sanitizing this would yield '..'. + msg = "Could not derive file name from '$.$.$'" + with self.assertRaisesMessage(SuspiciousFileOperation, msg): + text.get_valid_filename('$.$.$') def test_compress_sequence(self): data = [{'key': i} for i in range(10)] -- cgit v1.3