[4.2.x] Fixed CVE-2024-39330 -- Added extra file name validation in Storage's save method.

Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah
Boyce for the reviews.

1 files changed, 11 insertions, 0 deletions

diff --git a/django/core/files/storage/base.py b/django/core/files/storage/base.py
index 16ac22f70a..03a1b44edb 100644
--- a/django/core/files/storage/base.py
+++ b/django/core/files/storage/base.py
@@ -34,7 +34,18 @@ class Storage:
         if not hasattr(content, "chunks"):
             content = File(content, name)
 
+        # Ensure that the name is valid, before and after having the storage
+        # system potentially modifying the name. This duplicates the check made
+        # inside `get_available_name` but it's necessary for those cases where
+        # `get_available_name` is overriden and validation is lost.
+        validate_file_name(name, allow_relative_path=True)
+
+        # Potentially find a different name depending on storage constraints.
         name = self.get_available_name(name, max_length=max_length)
+        # Validate the (potentially) new name.
+        validate_file_name(name, allow_relative_path=True)
+
+        # The save operation should return the actual name of the file saved.
         name = self._save(name, content)
         # Ensure that the name returned from the storage system is still valid.
         validate_file_name(name, allow_relative_path=True)