diff options
| author | Natalia <124304+nessita@users.noreply.github.com> | 2024-03-20 13:55:21 -0300 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2024-07-09 10:03:32 -0300 |
| commit | 9f4f63e9ebb7bf6cb9547ee4e2526b9b96703270 (patch) | |
| tree | d9ff82b8d1c1949da56131e25c054cb15da9fc9c /django | |
| parent | 07cefdee4a9d1fcd9a3a631cbd07c78defd1923b (diff) | |
[5.0.x] Fixed CVE-2024-39330 -- Added extra file name validation in Storage's save method.
Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah
Boyce for the reviews.
Diffstat (limited to 'django')
| -rw-r--r-- | django/core/files/storage/base.py | 11 | ||||
| -rw-r--r-- | django/core/files/utils.py | 7 |
2 files changed, 14 insertions, 4 deletions
diff --git a/django/core/files/storage/base.py b/django/core/files/storage/base.py index 16ac22f70a..03a1b44edb 100644 --- a/django/core/files/storage/base.py +++ b/django/core/files/storage/base.py @@ -34,7 +34,18 @@ class Storage: if not hasattr(content, "chunks"): content = File(content, name) + # Ensure that the name is valid, before and after having the storage + # system potentially modifying the name. This duplicates the check made + # inside `get_available_name` but it's necessary for those cases where + # `get_available_name` is overriden and validation is lost. + validate_file_name(name, allow_relative_path=True) + + # Potentially find a different name depending on storage constraints. name = self.get_available_name(name, max_length=max_length) + # Validate the (potentially) new name. + validate_file_name(name, allow_relative_path=True) + + # The save operation should return the actual name of the file saved. name = self._save(name, content) # Ensure that the name returned from the storage system is still valid. validate_file_name(name, allow_relative_path=True) diff --git a/django/core/files/utils.py b/django/core/files/utils.py index 611f932f6e..c730ca17e8 100644 --- a/django/core/files/utils.py +++ b/django/core/files/utils.py @@ -10,10 +10,9 @@ def validate_file_name(name, allow_relative_path=False): raise SuspiciousFileOperation("Could not derive file name from '%s'" % name) if allow_relative_path: - # Use PurePosixPath() because this branch is checked only in - # FileField.generate_filename() where all file paths are expected to be - # Unix style (with forward slashes). - path = pathlib.PurePosixPath(name) + # Ensure that name can be treated as a pure posix path, i.e. Unix + # style (with forward slashes). + path = pathlib.PurePosixPath(str(name).replace("\\", "/")) if path.is_absolute() or ".." in path.parts: raise SuspiciousFileOperation( "Detected path traversal attempt in '%s'" % name |