From 74fa85c688a87224637155902bcd738bb9e65e11 Mon Sep 17 00:00:00 2001 From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Date: Tue, 16 Sep 2025 17:13:36 +0200 Subject: [5.1.x] Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal via archive.extract(). Thanks stackered for the report. Follow up to 05413afa8c18cdb978fcdf470e09f7a12b234a23. Backport of 924a0c092e65fa2d0953fd1855d2dc8786d94de2 from main. --- tests/utils_tests/test_archive.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'tests/utils_tests') diff --git a/tests/utils_tests/test_archive.py b/tests/utils_tests/test_archive.py index 89a45bc072..4d365e4d98 100644 --- a/tests/utils_tests/test_archive.py +++ b/tests/utils_tests/test_archive.py @@ -3,6 +3,7 @@ import stat import sys import tempfile import unittest +import zipfile from django.core.exceptions import SuspiciousOperation from django.test import SimpleTestCase @@ -94,3 +95,21 @@ class TestArchiveInvalid(SimpleTestCase): with self.subTest(entry), tempfile.TemporaryDirectory() as tmpdir: with self.assertRaisesMessage(SuspiciousOperation, msg % invalid_path): archive.extract(os.path.join(archives_dir, entry), tmpdir) + + def test_extract_function_traversal_startswith(self): + with tempfile.TemporaryDirectory() as tmpdir: + base = os.path.abspath(tmpdir) + tarfile_handle = tempfile.NamedTemporaryFile(suffix=".zip", delete=False) + tar_path = tarfile_handle.name + tarfile_handle.close() + self.addCleanup(os.remove, tar_path) + + malicious_member = os.path.join(base + "abc", "evil.txt") + with zipfile.ZipFile(tar_path, "w") as zf: + zf.writestr(malicious_member, "evil\n") + zf.writestr("test.txt", "data\n") + + with self.assertRaisesMessage( + SuspiciousOperation, "Archive contains invalid path" + ): + archive.extract(tar_path, base) -- cgit v1.3