mirror of
				https://github.com/django/django.git
				synced 2025-10-26 15:16:09 +00:00 
			
		
		
		
	Fixed #33062 -- Made MultiPartParser remove non-printable chars from file names.
This commit is contained in:
		
				
					committed by
					
						 Mariusz Felisiak
						Mariusz Felisiak
					
				
			
			
				
	
			
			
			
						parent
						
							0f6946495a
						
					
				
				
					commit
					3fadf141e6
				
			| @@ -320,6 +320,8 @@ class MultiPartParser: | |||||||
|         file_name = html.unescape(file_name) |         file_name = html.unescape(file_name) | ||||||
|         file_name = file_name.rsplit('/')[-1] |         file_name = file_name.rsplit('/')[-1] | ||||||
|         file_name = file_name.rsplit('\\')[-1] |         file_name = file_name.rsplit('\\')[-1] | ||||||
|  |         # Remove non-printable characters. | ||||||
|  |         file_name = ''.join([char for char in file_name if char.isprintable()]) | ||||||
|  |  | ||||||
|         if file_name in {'', '.', '..'}: |         if file_name in {'', '.', '..'}: | ||||||
|             return None |             return None | ||||||
|   | |||||||
| @@ -283,6 +283,29 @@ class FileUploadTests(TestCase): | |||||||
|         for i, name in enumerate(filenames): |         for i, name in enumerate(filenames): | ||||||
|             self.assertIsNone(received.get('file%s' % i)) |             self.assertIsNone(received.get('file%s' % i)) | ||||||
|  |  | ||||||
|  |     def test_non_printable_chars_in_file_names(self): | ||||||
|  |         file_name = 'non-\x00printable\x00\n_chars.txt\x00' | ||||||
|  |         payload = client.FakePayload() | ||||||
|  |         payload.write('\r\n'.join([ | ||||||
|  |             '--' + client.BOUNDARY, | ||||||
|  |             f'Content-Disposition: form-data; name="file"; filename="{file_name}"', | ||||||
|  |             'Content-Type: application/octet-stream', | ||||||
|  |             '', | ||||||
|  |             'You got pwnd.\r\n' | ||||||
|  |         ])) | ||||||
|  |         payload.write('\r\n--' + client.BOUNDARY + '--\r\n') | ||||||
|  |         r = { | ||||||
|  |             'CONTENT_LENGTH': len(payload), | ||||||
|  |             'CONTENT_TYPE': client.MULTIPART_CONTENT, | ||||||
|  |             'PATH_INFO': '/echo/', | ||||||
|  |             'REQUEST_METHOD': 'POST', | ||||||
|  |             'wsgi.input': payload, | ||||||
|  |         } | ||||||
|  |         response = self.client.request(**r) | ||||||
|  |         # Non-printable chars are sanitized. | ||||||
|  |         received = response.json() | ||||||
|  |         self.assertEqual(received['file'], 'non-printable_chars.txt') | ||||||
|  |  | ||||||
|     def test_dangerous_file_names(self): |     def test_dangerous_file_names(self): | ||||||
|         """Uploaded file names should be sanitized before ever reaching the view.""" |         """Uploaded file names should be sanitized before ever reaching the view.""" | ||||||
|         # This test simulates possible directory traversal attacks by a |         # This test simulates possible directory traversal attacks by a | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user