[4.2.x] Fixed CVE-2024-39330 -- Added extra file name validation in Storage's save method.

Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews.
author: Natalia <124304+nessita@users.noreply.github.com> 2024-03-20 13:55:21 -0300
committer: Natalia <124304+nessita@users.noreply.github.com> 2024-07-09 10:40:48 -0300
commit: 2b00edc0151a660d1eb86da4059904a0fc4e095e (patch)
tree: 1ca6d18807f1b88b3b9133f44fb2abd764d07577 /django/core/files/utils.py
parent: 156d3186c96e3ec2ca73b8b25dc2ef366e38df14 (diff)
1 files changed, 3 insertions, 4 deletions
diff --git a/django/core/files/utils.py b/django/core/files/utils.py
index 85342b2f3f..11e4f07724 100644
--- a/django/core/files/utils.py
+++ b/django/core/files/utils.py
@@ -10,10 +10,9 @@ def validate_file_name(name, allow_relative_path=False):
         raise SuspiciousFileOperation("Could not derive file name from '%s'" % name)
 
     if allow_relative_path:
-        # Use PurePosixPath() because this branch is checked only in
-        # FileField.generate_filename() where all file paths are expected to be
-        # Unix style (with forward slashes).
-        path = pathlib.PurePosixPath(name)
+        # Ensure that name can be treated as a pure posix path, i.e. Unix
+        # style (with forward slashes).
+        path = pathlib.PurePosixPath(str(name).replace("\\", "/"))
         if path.is_absolute() or ".." in path.parts:
             raise SuspiciousFileOperation(
                 "Detected path traversal attempt in '%s'" % name
author	Natalia <124304+nessita@users.noreply.github.com>	2024-03-20 13:55:21 -0300
committer	Natalia <124304+nessita@users.noreply.github.com>	2024-07-09 10:40:48 -0300
commit	2b00edc0151a660d1eb86da4059904a0fc4e095e (patch)
tree	1ca6d18807f1b88b3b9133f44fb2abd764d07577 /django/core/files/utils.py
parent	156d3186c96e3ec2ca73b8b25dc2ef366e38df14 (diff)