diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2021-12-17 21:07:50 +0100 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2022-01-04 10:20:31 +0100 |
| commit | 4cb35b384ceef52123fc66411a73c36a706825e1 (patch) | |
| tree | 1bd0e98713c96e81e1c93d60509c3548291b30a6 /django | |
| parent | c9f648ccfac5ab90fb2829a66da4f77e68c7f93a (diff) | |
[2.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem.
Thanks to Dennis Brinkrolf for the report.
Diffstat (limited to 'django')
| -rw-r--r-- | django/core/files/storage.py | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/django/core/files/storage.py b/django/core/files/storage.py index 89faa626e6..ea5bbc82d0 100644 --- a/django/core/files/storage.py +++ b/django/core/files/storage.py @@ -51,7 +51,10 @@ class Storage: content = File(content, name) name = self.get_available_name(name, max_length=max_length) - return self._save(name, content) + name = self._save(name, content) + # Ensure that the name returned from the storage system is still valid. + validate_file_name(name, allow_relative_path=True) + return name # These methods are part of the public API, with default implementations. @@ -67,6 +70,7 @@ class Storage: Return a filename that's free on the target storage system and available for new content to be written to. """ + name = str(name).replace('\\', '/') dir_name, file_name = os.path.split(name) if '..' in pathlib.PurePath(dir_name).parts: raise SuspiciousFileOperation("Detected path traversal attempt in '%s'" % dir_name) @@ -101,6 +105,7 @@ class Storage: Validate the filename by calling get_valid_name() and return a filename to be passed to the save() method. """ + filename = str(filename).replace('\\', '/') # `filename` may include a path as returned by FileField.upload_to. dirname, filename = os.path.split(filename) if '..' in pathlib.PurePath(dirname).parts: @@ -296,6 +301,8 @@ class FileSystemStorage(Storage): if self.file_permissions_mode is not None: os.chmod(full_path, self.file_permissions_mode) + # Ensure the saved path is always relative to the storage root. + name = os.path.relpath(full_path, self.location) # Store filenames with forward slashes, even on Windows. return name.replace('\\', '/') |