From 74fa85c688a87224637155902bcd738bb9e65e11 Mon Sep 17 00:00:00 2001
From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Date: Tue, 16 Sep 2025 17:13:36 +0200
Subject: [5.1.x] Fixed CVE-2025-59682 -- Fixed potential partial
 directory-traversal via archive.extract().

Thanks stackered for the report.

Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23.

Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main.
---
 django/utils/archive.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'django/utils/archive.py')

diff --git a/django/utils/archive.py b/django/utils/archive.py
index 56f34c0038..c05fbcdc97 100644
--- a/django/utils/archive.py
+++ b/django/utils/archive.py
@@ -145,7 +145,11 @@ class BaseArchive:
     def target_filename(self, to_path, name):
         target_path = os.path.abspath(to_path)
         filename = os.path.abspath(os.path.join(target_path, name))
-        if not filename.startswith(target_path):
+        try:
+            if os.path.commonpath([target_path, filename]) != target_path:
+                raise SuspiciousOperation("Archive contains invalid path: '%s'" % name)
+        except ValueError:
+            # Different drives on Windows raises ValueError.
             raise SuspiciousOperation("Archive contains invalid path: '%s'" % name)
         return filename
 
-- 
cgit v1.3