[5.1.x] Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal via archive.extract().

Thanks stackered for the report. Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23. Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main.
author: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-09-16 17:13:36 +0200
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2025-10-01 08:53:50 -0400
commit: 74fa85c688a87224637155902bcd738bb9e65e11 (patch)
tree: 268c19a879baaead227fe8cf22a80228dc2f9da1 /django/utils/archive.py
parent: 01d2d770e22bffe53c7f1e611e2bbca94cb8a2e7 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/django/utils/archive.py b/django/utils/archive.py
index 56f34c0038..c05fbcdc97 100644
--- a/django/utils/archive.py
+++ b/django/utils/archive.py
@@ -145,7 +145,11 @@ class BaseArchive:
     def target_filename(self, to_path, name):
         target_path = os.path.abspath(to_path)
         filename = os.path.abspath(os.path.join(target_path, name))
-        if not filename.startswith(target_path):
+        try:
+            if os.path.commonpath([target_path, filename]) != target_path:
+                raise SuspiciousOperation("Archive contains invalid path: '%s'" % name)
+        except ValueError:
+            # Different drives on Windows raises ValueError.
             raise SuspiciousOperation("Archive contains invalid path: '%s'" % name)
         return filename
author	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-09-16 17:13:36 +0200
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2025-10-01 08:53:50 -0400
commit	74fa85c688a87224637155902bcd738bb9e65e11 (patch)
tree	268c19a879baaead227fe8cf22a80228dc2f9da1 /django/utils/archive.py
parent	01d2d770e22bffe53c7f1e611e2bbca94cb8a2e7 (diff)