Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal via archive.extract().

Thanks stackered for the report. Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23.
author: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-09-16 17:13:36 +0200
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2025-10-01 08:12:07 -0400
commit: 924a0c092e65fa2d0953fd1855d2dc8786d94de2 (patch)
tree: 101a0c0e0e28a471c92fa19c8890d7f200a0b8fd /django/utils/archive.py
parent: 41b43c74bda19753c757036673ea9db74acf494a (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/django/utils/archive.py b/django/utils/archive.py
index 4042e89af9..e9c0ce7cb4 100644
--- a/django/utils/archive.py
+++ b/django/utils/archive.py
@@ -145,7 +145,11 @@ class BaseArchive:
     def target_filename(self, to_path, name):
         target_path = os.path.abspath(to_path)
         filename = os.path.abspath(os.path.join(target_path, name))
-        if not filename.startswith(target_path):
+        try:
+            if os.path.commonpath([target_path, filename]) != target_path:
+                raise SuspiciousOperation("Archive contains invalid path: '%s'" % name)
+        except ValueError:
+            # Different drives on Windows raises ValueError.
             raise SuspiciousOperation("Archive contains invalid path: '%s'" % name)
         return filename
author	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-09-16 17:13:36 +0200
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2025-10-01 08:12:07 -0400
commit	924a0c092e65fa2d0953fd1855d2dc8786d94de2 (patch)
tree	101a0c0e0e28a471c92fa19c8890d7f200a0b8fd /django/utils/archive.py
parent	41b43c74bda19753c757036673ea9db74acf494a (diff)