[3.1.x] Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files.

Thanks Claude Paroz for the initial patch.
Thanks Dennis Brinkrolf for the report.

Backport of d4d800ca1addc4141e03c5440a849bb64d1582cd from main.

1 files changed, 8 insertions, 5 deletions

diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py
index b3472f7be2..2351055e3a 100644
--- a/django/http/multipartparser.py
+++ b/django/http/multipartparser.py
@@ -209,9 +209,8 @@ class MultiPartParser:
                     # This is a file, use the handler...
                     file_name = disposition.get('filename')
                     if file_name:
-                        file_name = os.path.basename(file_name)
                         file_name = force_str(file_name, encoding, errors='replace')
-                        file_name = self.IE_sanitize(html.unescape(file_name))
+                        file_name = self.sanitize_file_name(file_name)
                     if not file_name:
                         continue
 
@@ -299,9 +298,13 @@ class MultiPartParser:
                 self._files.appendlist(force_str(old_field_name, self._encoding, errors='replace'), file_obj)
                 break
 
-    def IE_sanitize(self, filename):
-        """Cleanup filename from Internet Explorer full paths."""
-        return filename and filename[filename.rfind("\\") + 1:].strip()
+    def sanitize_file_name(self, file_name):
+        file_name = html.unescape(file_name)
+        # Cleanup Windows-style path separators.
+        file_name = file_name[file_name.rfind('\\') + 1:].strip()
+        return os.path.basename(file_name)
+
+    IE_sanitize = sanitize_file_name
 
     def _close_files(self):
         # Free up all file handles.