mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

[3.2.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.

Browse Source
This commit is contained in:
Florian Apolloner
2021-04-14 18:23:44 +02:00
committed by Carlton Gibson
parent 8e1900d4f3
commit c98f446c18
14 changed files with 190 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
tests/utils_tests/test_text.py
View File

@@ -1,6 +1,7 @@
import json
import sys
from django.core.exceptions import SuspiciousFileOperation
from django.test import SimpleTestCase, ignore_warnings
from django.utils import text
from django.utils.deprecation import RemovedInDjango40Warning
@@ -255,6 +256,13 @@ class TestUtilsText(SimpleTestCase):
filename = "^&'@{}[],$=!-#()%+~_123.txt"
self.assertEqual(text.get_valid_filename(filename), "-_123.txt")
self.assertEqual(text.get_valid_filename(lazystr(filename)), "-_123.txt")
msg = "Could not derive file name from '???'"
with self.assertRaisesMessage(SuspiciousFileOperation, msg):
text.get_valid_filename('???')
# After sanitizing this would yield '..'.
msg = "Could not derive file name from '$.$.$'"
with self.assertRaisesMessage(SuspiciousFileOperation, msg):
text.get_valid_filename('$.$.$')
def test_compress_sequence(self):
data = [{'key': i} for i in range(10)]