Fixed #33062 -- Made MultiPartParser remove non-printable chars from file names.

author: Hrushikesh Vaidya <hrushikeshrv@gmail.com> 2022-01-17 14:42:48 +0530
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-01-20 07:19:52 +0100
commit: 3fadf141e66c8d0baaa66574fa3b63c4d3655482 (patch)
tree: fb04627e74070eb488e6efb35af4f1d4d32e1909 /django/http/multipartparser.py
parent: 0f6946495a8ec955b471ca1baaf408ceb53d4796 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py
index ddf7cfa2f6..c3cb90e639 100644
--- a/django/http/multipartparser.py
+++ b/django/http/multipartparser.py
@@ -320,6 +320,8 @@ class MultiPartParser:
         file_name = html.unescape(file_name)
         file_name = file_name.rsplit('/')[-1]
         file_name = file_name.rsplit('\\')[-1]
+        # Remove non-printable characters.
+        file_name = ''.join([char for char in file_name if char.isprintable()])
 
         if file_name in {'', '.', '..'}:
             return None
author	Hrushikesh Vaidya <hrushikeshrv@gmail.com>	2022-01-17 14:42:48 +0530
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-01-20 07:19:52 +0100
commit	3fadf141e66c8d0baaa66574fa3b63c4d3655482 (patch)
tree	fb04627e74070eb488e6efb35af4f1d4d32e1909 /django/http/multipartparser.py
parent	0f6946495a8ec955b471ca1baaf408ceb53d4796 (diff)