[4.2.x] Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal via archive.extract().

Thanks stackered for the report. Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23. Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main.
author: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2025-09-16 17:13:36 +0200
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2025-10-01 09:06:00 -0400
commit: 9504bbaa392c9fe37eee9291f5b4c29eb6037619 (patch)
tree: 1205ca9e548ba0d5b2bfe768987b5e9bc88471fe /django/utils
parent: 38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/django/utils/archive.py b/django/utils/archive.py
index 71ec2d0015..e8af690e27 100644
--- a/django/utils/archive.py
+++ b/django/utils/archive.py
@@ -144,7 +144,11 @@ class BaseArchive:
     def target_filename(self, to_path, name):
         target_path = os.path.abspath(to_path)
         filename = os.path.abspath(os.path.join(target_path, name))
-        if not filename.startswith(target_path):
+        try:
+            if os.path.commonpath([target_path, filename]) != target_path:
+                raise SuspiciousOperation("Archive contains invalid path: '%s'" % name)
+        except ValueError:
+            # Different drives on Windows raises ValueError.
             raise SuspiciousOperation("Archive contains invalid path: '%s'" % name)
         return filename
author	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2025-09-16 17:13:36 +0200
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2025-10-01 09:06:00 -0400
commit	9504bbaa392c9fe37eee9291f5b4c29eb6037619 (patch)
tree	1205ca9e548ba0d5b2bfe768987b5e9bc88471fe /django/utils
parent	38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5 (diff)