diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2021-04-14 18:23:44 +0200 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2021-04-27 19:12:15 +0200 |
| commit | 25d84d64122c15050a0ee739e859f22ddab5ac48 (patch) | |
| tree | 15fc59bd9e377fdf8ced4a60af221412fefffe15 /django/core/files/uploadedfile.py | |
| parent | 6b0c7e6f5081a0dbe8acdbdcba9cfa6e5dff2792 (diff) | |
[3.1.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.
Diffstat (limited to 'django/core/files/uploadedfile.py')
| -rw-r--r-- | django/core/files/uploadedfile.py | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/django/core/files/uploadedfile.py b/django/core/files/uploadedfile.py index 48007b8682..f452bcd9a4 100644 --- a/django/core/files/uploadedfile.py +++ b/django/core/files/uploadedfile.py @@ -8,6 +8,7 @@ from io import BytesIO from django.conf import settings from django.core.files import temp as tempfile from django.core.files.base import File +from django.core.files.utils import validate_file_name __all__ = ('UploadedFile', 'TemporaryUploadedFile', 'InMemoryUploadedFile', 'SimpleUploadedFile') @@ -47,6 +48,8 @@ class UploadedFile(File): ext = ext[:255] name = name[:255 - len(ext)] + ext + name = validate_file_name(name) + self._name = name name = property(_get_name, _set_name) |