1
0
mirror of https://github.com/django/django.git synced 2024-12-25 10:35:48 +00:00
Commit Graph

5 Commits

Author SHA1 Message Date
Mariusz Felisiak
b55699968f
Fixed #32718 -- Relaxed file name validation in FileField.
- Validate filename returned by FileField.upload_to() not a filename
  passed to the FileField.generate_filename() (upload_to() may
  completely ignored passed filename).
- Allow relative paths (without dot segments) in the generated filename.

Thanks to Jakub Kleň for the report and review.
Thanks to all folks for checking this patch on existing projects.
Thanks Florian Apolloner and Markus Holtermann for the discussion and
implementation idea.

Regression in 0b79eb3691.
2021-05-13 08:53:44 +02:00
Carlton Gibson
a708f39ce6 Refs CVE-2021-31542 -- Skipped mock AWS storage test on Windows.
The validate_file_name() sanitation introduced in
0b79eb3691 correctly rejects the example
file name as containing path elements on Windows. This breaks the test
introduced in 914c72be2a to allow path
components for storages that may allow them.

Test is skipped pending a discussed storage refactoring to support this
use-case.
2021-05-06 07:04:52 +02:00
Florian Apolloner
0b79eb3691 Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-05-04 08:44:42 +02:00
Tim Graham
0dfc5479a8 Refs #26058 -- Removed deprecated FileField.get_directory_name()/get_filename(). 2017-01-17 20:52:04 -05:00
Cristiano
914c72be2a Fixed #26058 -- Delegated os.path bits of FileField's filename generation to the Storage. 2016-04-30 17:22:40 -04:00