mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-29 16:46:11 +00:00
Code Issues 32 Releases Wiki Activity

[1.6.x] Fixed #23157 -- Removed O(n) algorithm when uploading duplicate file names.

Browse Source 
This is a security fix. Disclosure following shortly.
This commit is contained in:
Tim Graham
2014-08-08 10:20:08 -04:00
parent da051da8df
commit dd0c3f4ee1
8 changed files with 113 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
tests/files/tests.py
View File

@@ -13,12 +13,15 @@ from django.core.files.base import ContentFile
from django.core.files.uploadedfile import SimpleUploadedFile
from django.core.files.temp import NamedTemporaryFile
from django.test import TestCase
from django.utils import unittest
from django.utils import six, unittest
from django.utils.six import StringIO
from .models import Storage, temp_storage, temp_storage_location
FILE_SUFFIX_REGEX = '[A-Za-z0-9]{7}'
class FileStorageTests(TestCase):
def tearDown(self):
shutil.rmtree(temp_storage_location)
@@ -64,27 +67,28 @@ class FileStorageTests(TestCase):
# Save another file with the same name.
obj2 = Storage()
obj2.normal.save("django_test.txt", ContentFile("more content"))
self.assertEqual(obj2.normal.name, "tests/django_test_1.txt")
obj2_name = obj2.normal.name
six.assertRegex(self, obj2_name, "tests/django_test_%s.txt" % FILE_SUFFIX_REGEX)
self.assertEqual(obj2.normal.size, 12)
# Push the objects into the cache to make sure they pickle properly
cache.set("obj1", obj1)
cache.set("obj2", obj2)
self.assertEqual(cache.get("obj2").normal.name, "tests/django_test_1.txt")
six.assertRegex(self, cache.get("obj2").normal.name, "tests/django_test_%s.txt" % FILE_SUFFIX_REGEX)
# Deleting an object does not delete the file it uses.
obj2.delete()
obj2.normal.save("django_test.txt", ContentFile("more content"))
self.assertEqual(obj2.normal.name, "tests/django_test_2.txt")
self.assertNotEqual(obj2_name, obj2.normal.name)
six.assertRegex(self, obj2.normal.name, "tests/django_test_%s.txt" % FILE_SUFFIX_REGEX)
# Multiple files with the same name get _N appended to them.
objs = [Storage() for i in range(3)]
objs = [Storage() for i in range(2)]
for o in objs:
o.normal.save("multiple_files.txt", ContentFile("Same Content"))
self.assertEqual(
[o.normal.name for o in objs],
["tests/multiple_files.txt", "tests/multiple_files_1.txt", "tests/multiple_files_2.txt"]
)
names = [o.normal.name for o in objs]
self.assertEqual(names[0], "tests/multiple_files.txt")
six.assertRegex(self, names[1], "tests/multiple_files_%s.txt" % FILE_SUFFIX_REGEX)
for o in objs:
o.delete()