[5.0.x] Fixed CVE-2024-39330 -- Added extra file name validation in Storage's save method.

Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews.
author: Natalia <124304+nessita@users.noreply.github.com> 2024-03-20 13:55:21 -0300
committer: Natalia <124304+nessita@users.noreply.github.com> 2024-07-09 10:03:32 -0300
commit: 9f4f63e9ebb7bf6cb9547ee4e2526b9b96703270 (patch)
tree: d9ff82b8d1c1949da56131e25c054cb15da9fc9c /docs/releases/4.2.14.txt
parent: 07cefdee4a9d1fcd9a3a631cbd07c78defd1923b (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/docs/releases/4.2.14.txt b/docs/releases/4.2.14.txt
index 556cff4437..dc20cd9f28 100644
--- a/docs/releases/4.2.14.txt
+++ b/docs/releases/4.2.14.txt
@@ -20,3 +20,15 @@ CVE-2024-39329: Username enumeration through timing difference for users with un
 The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
 allowed remote attackers to enumerate users via a timing attack involving login
 requests for users with unusable passwords.
+
+CVE-2024-39330: Potential directory-traversal via ``Storage.save()``
+====================================================================
+
+Derived classes of the :class:`~django.core.files.storage.Storage` base class
+which override :meth:`generate_filename()
+<django.core.files.storage.Storage.generate_filename()>` without replicating
+the file path validations existing in the parent class, allowed for potential
+directory-traversal via certain inputs when calling :meth:`save()
+<django.core.files.storage.Storage.save()>`.
+
+Built-in ``Storage`` sub-classes were not affected by this vulnerability.
author	Natalia <124304+nessita@users.noreply.github.com>	2024-03-20 13:55:21 -0300
committer	Natalia <124304+nessita@users.noreply.github.com>	2024-07-09 10:03:32 -0300
commit	9f4f63e9ebb7bf6cb9547ee4e2526b9b96703270 (patch)
tree	d9ff82b8d1c1949da56131e25c054cb15da9fc9c /docs/releases/4.2.14.txt
parent	07cefdee4a9d1fcd9a3a631cbd07c78defd1923b (diff)