[5.0.x] Fixed CVE-2024-39330 -- Added extra file name validation in Storage's save method.

Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews.
author: Natalia <124304+nessita@users.noreply.github.com> 2024-03-20 13:55:21 -0300
committer: Natalia <124304+nessita@users.noreply.github.com> 2024-07-09 10:03:32 -0300
commit: 9f4f63e9ebb7bf6cb9547ee4e2526b9b96703270 (patch)
tree: d9ff82b8d1c1949da56131e25c054cb15da9fc9c /django/core/files/utils.py
parent: 07cefdee4a9d1fcd9a3a631cbd07c78defd1923b (diff)
1 files changed, 3 insertions, 4 deletions
diff --git a/django/core/files/utils.py b/django/core/files/utils.py
index 611f932f6e..c730ca17e8 100644
--- a/django/core/files/utils.py
+++ b/django/core/files/utils.py
@@ -10,10 +10,9 @@ def validate_file_name(name, allow_relative_path=False):
         raise SuspiciousFileOperation("Could not derive file name from '%s'" % name)
 
     if allow_relative_path:
-        # Use PurePosixPath() because this branch is checked only in
-        # FileField.generate_filename() where all file paths are expected to be
-        # Unix style (with forward slashes).
-        path = pathlib.PurePosixPath(name)
+        # Ensure that name can be treated as a pure posix path, i.e. Unix
+        # style (with forward slashes).
+        path = pathlib.PurePosixPath(str(name).replace("\\", "/"))
         if path.is_absolute() or ".." in path.parts:
             raise SuspiciousFileOperation(
                 "Detected path traversal attempt in '%s'" % name
author	Natalia <124304+nessita@users.noreply.github.com>	2024-03-20 13:55:21 -0300
committer	Natalia <124304+nessita@users.noreply.github.com>	2024-07-09 10:03:32 -0300
commit	9f4f63e9ebb7bf6cb9547ee4e2526b9b96703270 (patch)
tree	d9ff82b8d1c1949da56131e25c054cb15da9fc9c /django/core/files/utils.py
parent	07cefdee4a9d1fcd9a3a631cbd07c78defd1923b (diff)