diff options
| author | Natalia <124304+nessita@users.noreply.github.com> | 2024-03-20 13:55:21 -0300 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2024-07-09 10:40:48 -0300 |
| commit | 2b00edc0151a660d1eb86da4059904a0fc4e095e (patch) | |
| tree | 1ca6d18807f1b88b3b9133f44fb2abd764d07577 /django/core/files | |
| parent | 156d3186c96e3ec2ca73b8b25dc2ef366e38df14 (diff) | |
[4.2.x] Fixed CVE-2024-39330 -- Added extra file name validation in Storage's save method.
Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah
Boyce for the reviews.
Diffstat (limited to 'django/core/files')
| -rw-r--r-- | django/core/files/storage/base.py | 11 | ||||
| -rw-r--r-- | django/core/files/utils.py | 7 |
2 files changed, 14 insertions, 4 deletions
diff --git a/django/core/files/storage/base.py b/django/core/files/storage/base.py index 16ac22f70a..03a1b44edb 100644 --- a/django/core/files/storage/base.py +++ b/django/core/files/storage/base.py @@ -34,7 +34,18 @@ class Storage: if not hasattr(content, "chunks"): content = File(content, name) + # Ensure that the name is valid, before and after having the storage + # system potentially modifying the name. This duplicates the check made + # inside `get_available_name` but it's necessary for those cases where + # `get_available_name` is overriden and validation is lost. + validate_file_name(name, allow_relative_path=True) + + # Potentially find a different name depending on storage constraints. name = self.get_available_name(name, max_length=max_length) + # Validate the (potentially) new name. + validate_file_name(name, allow_relative_path=True) + + # The save operation should return the actual name of the file saved. name = self._save(name, content) # Ensure that the name returned from the storage system is still valid. validate_file_name(name, allow_relative_path=True) diff --git a/django/core/files/utils.py b/django/core/files/utils.py index 85342b2f3f..11e4f07724 100644 --- a/django/core/files/utils.py +++ b/django/core/files/utils.py @@ -10,10 +10,9 @@ def validate_file_name(name, allow_relative_path=False): raise SuspiciousFileOperation("Could not derive file name from '%s'" % name) if allow_relative_path: - # Use PurePosixPath() because this branch is checked only in - # FileField.generate_filename() where all file paths are expected to be - # Unix style (with forward slashes). - path = pathlib.PurePosixPath(name) + # Ensure that name can be treated as a pure posix path, i.e. Unix + # style (with forward slashes). + path = pathlib.PurePosixPath(str(name).replace("\\", "/")) if path.is_absolute() or ".." in path.parts: raise SuspiciousFileOperation( "Detected path traversal attempt in '%s'" % name |