1 files changed, 20 insertions, 6 deletions

diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py
index 5a9cca89e6..4570ebbaee 100644
--- a/django/http/multipartparser.py
+++ b/django/http/multipartparser.py
@@ -7,7 +7,7 @@ file upload handlers for processing.
 import base64
 import binascii
 import cgi
-import os
+import html
 from urllib.parse import unquote
 
 from django.conf import settings
@@ -19,7 +19,6 @@ from django.core.files.uploadhandler import (
 )
 from django.utils.datastructures import MultiValueDict
 from django.utils.encoding import force_text
-from django.utils.text import unescape_entities
 
 __all__ = ('MultiPartParser', 'MultiPartParserError', 'InputStreamExhausted')
 
@@ -295,10 +294,25 @@ class MultiPartParser:
                 break
 
     def sanitize_file_name(self, file_name):
-        file_name = unescape_entities(file_name)
-        # Cleanup Windows-style path separators.
-        file_name = file_name[file_name.rfind('\\') + 1:].strip()
-        return os.path.basename(file_name)
+        """
+        Sanitize the filename of an upload.
+
+        Remove all possible path separators, even though that might remove more
+        than actually required by the target system. Filenames that could
+        potentially cause problems (current/parent dir) are also discarded.
+
+        It should be noted that this function could still return a "filepath"
+        like "C:some_file.txt" which is handled later on by the storage layer.
+        So while this function does sanitize filenames to some extent, the
+        resulting filename should still be considered as untrusted user input.
+        """
+        file_name = html.unescape(file_name)
+        file_name = file_name.rsplit('/')[-1]
+        file_name = file_name.rsplit('\\')[-1]
+
+        if file_name in {'', '.', '..'}:
+            return None
+        return file_name
 
     IE_sanitize = sanitize_file_name