Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.

author: Florian Apolloner <florian@apolloner.eu> 2021-04-14 18:23:44 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2021-05-04 08:44:42 +0200
commit: 0b79eb36915d178aef5c6a7bbce71b1e76d376d3 (patch)
tree: ceb3f3df98ca1ee553f793121b6e43dc67ee2607 /django/core/files/uploadedfile.py
parent: 8de4ca74ba49b3f97a252e2b9d385cb2e70c442c (diff)
download: django-0b79eb36915d178aef5c6a7bbce71b1e76d376d3.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/django/core/files/uploadedfile.py b/django/core/files/uploadedfile.py
index 48007b8682..f452bcd9a4 100644
--- a/django/core/files/uploadedfile.py
+++ b/django/core/files/uploadedfile.py
@@ -8,6 +8,7 @@ from io import BytesIO
 from django.conf import settings
 from django.core.files import temp as tempfile
 from django.core.files.base import File
+from django.core.files.utils import validate_file_name
 
 __all__ = ('UploadedFile', 'TemporaryUploadedFile', 'InMemoryUploadedFile',
            'SimpleUploadedFile')
@@ -47,6 +48,8 @@ class UploadedFile(File):
                 ext = ext[:255]
                 name = name[:255 - len(ext)] + ext
 
+            name = validate_file_name(name)
+
         self._name = name
 
     name = property(_get_name, _set_name)
author	Florian Apolloner <florian@apolloner.eu>	2021-04-14 18:23:44 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2021-05-04 08:44:42 +0200
commit	0b79eb36915d178aef5c6a7bbce71b1e76d376d3 (patch)
tree	ceb3f3df98ca1ee553f793121b6e43dc67ee2607 /django/core/files/uploadedfile.py
parent	8de4ca74ba49b3f97a252e2b9d385cb2e70c442c (diff)
download	django-0b79eb36915d178aef5c6a7bbce71b1e76d376d3.tar.gz