[5.2.x] Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal via archive.extract().

Thanks stackered for the report. Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23. Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main.
author: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-09-16 17:13:36 +0200
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2025-10-01 08:25:20 -0400
commit: ed8fc39d77465eddbde1191a054ae965f6a8a584 (patch)
tree: 876ee5a8ae2368375517969343a91711a51f214f /django/utils/archive.py
parent: 52fbae0a4dbbe5faa59827f8f05694a0065cc135 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/django/utils/archive.py b/django/utils/archive.py
index 56f34c0038..c05fbcdc97 100644
--- a/django/utils/archive.py
+++ b/django/utils/archive.py
@@ -145,7 +145,11 @@ class BaseArchive:
     def target_filename(self, to_path, name):
         target_path = os.path.abspath(to_path)
         filename = os.path.abspath(os.path.join(target_path, name))
-        if not filename.startswith(target_path):
+        try:
+            if os.path.commonpath([target_path, filename]) != target_path:
+                raise SuspiciousOperation("Archive contains invalid path: '%s'" % name)
+        except ValueError:
+            # Different drives on Windows raises ValueError.
             raise SuspiciousOperation("Archive contains invalid path: '%s'" % name)
         return filename
author	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-09-16 17:13:36 +0200
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2025-10-01 08:25:20 -0400
commit	ed8fc39d77465eddbde1191a054ae965f6a8a584 (patch)
tree	876ee5a8ae2368375517969343a91711a51f214f /django/utils/archive.py
parent	52fbae0a4dbbe5faa59827f8f05694a0065cc135 (diff)