[4.2.x] Fixed CVE-2024-39330 -- Added extra file name validation in Storage's save method.

Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews.
author: Natalia <124304+nessita@users.noreply.github.com> 2024-03-20 13:55:21 -0300
committer: Natalia <124304+nessita@users.noreply.github.com> 2024-07-09 10:40:48 -0300
commit: 2b00edc0151a660d1eb86da4059904a0fc4e095e (patch)
tree: 1ca6d18807f1b88b3b9133f44fb2abd764d07577 /docs/releases/4.2.14.txt
parent: 156d3186c96e3ec2ca73b8b25dc2ef366e38df14 (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/docs/releases/4.2.14.txt b/docs/releases/4.2.14.txt
index 556cff4437..dc20cd9f28 100644
--- a/docs/releases/4.2.14.txt
+++ b/docs/releases/4.2.14.txt
@@ -20,3 +20,15 @@ CVE-2024-39329: Username enumeration through timing difference for users with un
 The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
 allowed remote attackers to enumerate users via a timing attack involving login
 requests for users with unusable passwords.
+
+CVE-2024-39330: Potential directory-traversal via ``Storage.save()``
+====================================================================
+
+Derived classes of the :class:`~django.core.files.storage.Storage` base class
+which override :meth:`generate_filename()
+<django.core.files.storage.Storage.generate_filename()>` without replicating
+the file path validations existing in the parent class, allowed for potential
+directory-traversal via certain inputs when calling :meth:`save()
+<django.core.files.storage.Storage.save()>`.
+
+Built-in ``Storage`` sub-classes were not affected by this vulnerability.
author	Natalia <124304+nessita@users.noreply.github.com>	2024-03-20 13:55:21 -0300
committer	Natalia <124304+nessita@users.noreply.github.com>	2024-07-09 10:40:48 -0300
commit	2b00edc0151a660d1eb86da4059904a0fc4e095e (patch)
tree	1ca6d18807f1b88b3b9133f44fb2abd764d07577 /docs/releases/4.2.14.txt
parent	156d3186c96e3ec2ca73b8b25dc2ef366e38df14 (diff)