Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.

author: Florian Apolloner <florian@apolloner.eu> 2021-04-14 18:23:44 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2021-05-04 08:44:42 +0200
commit: 0b79eb36915d178aef5c6a7bbce71b1e76d376d3 (patch)
tree: ceb3f3df98ca1ee553f793121b6e43dc67ee2607 /tests/utils_tests/test_text.py
parent: 8de4ca74ba49b3f97a252e2b9d385cb2e70c442c (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py
index c9c74521e3..852a7970ee 100644
--- a/tests/utils_tests/test_text.py
+++ b/tests/utils_tests/test_text.py
@@ -1,6 +1,7 @@
 import json
 import sys
 
+from django.core.exceptions import SuspiciousFileOperation
 from django.test import SimpleTestCase
 from django.utils import text
 from django.utils.functional import lazystr
@@ -228,6 +229,13 @@ class TestUtilsText(SimpleTestCase):
         filename = "^&'@{}[],$=!-#()%+~_123.txt"
         self.assertEqual(text.get_valid_filename(filename), "-_123.txt")
         self.assertEqual(text.get_valid_filename(lazystr(filename)), "-_123.txt")
+        msg = "Could not derive file name from '???'"
+        with self.assertRaisesMessage(SuspiciousFileOperation, msg):
+            text.get_valid_filename('???')
+        # After sanitizing this would yield '..'.
+        msg = "Could not derive file name from '$.$.$'"
+        with self.assertRaisesMessage(SuspiciousFileOperation, msg):
+            text.get_valid_filename('$.$.$')
 
     def test_compress_sequence(self):
         data = [{'key': i} for i in range(10)]
author	Florian Apolloner <florian@apolloner.eu>	2021-04-14 18:23:44 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2021-05-04 08:44:42 +0200
commit	0b79eb36915d178aef5c6a7bbce71b1e76d376d3 (patch)
tree	ceb3f3df98ca1ee553f793121b6e43dc67ee2607 /tests/utils_tests/test_text.py
parent	8de4ca74ba49b3f97a252e2b9d385cb2e70c442c (diff)