Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.

author: Florian Apolloner <florian@apolloner.eu> 2021-04-14 18:23:44 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2021-05-04 08:44:42 +0200
commit: 0b79eb36915d178aef5c6a7bbce71b1e76d376d3 (patch)
tree: ceb3f3df98ca1ee553f793121b6e43dc67ee2607 /django/core/files/utils.py
parent: 8de4ca74ba49b3f97a252e2b9d385cb2e70c442c (diff)
download: django-0b79eb36915d178aef5c6a7bbce71b1e76d376d3.tar.gz
1 files changed, 16 insertions, 0 deletions
diff --git a/django/core/files/utils.py b/django/core/files/utils.py
index de89607175..f83cb1a3cf 100644
--- a/django/core/files/utils.py
+++ b/django/core/files/utils.py
@@ -1,3 +1,19 @@
+import os
+
+from django.core.exceptions import SuspiciousFileOperation
+
+
+def validate_file_name(name):
+    if name != os.path.basename(name):
+        raise SuspiciousFileOperation("File name '%s' includes path elements" % name)
+
+    # Remove potentially dangerous names
+    if name in {'', '.', '..'}:
+        raise SuspiciousFileOperation("Could not derive file name from '%s'" % name)
+
+    return name
+
+
 class FileProxyMixin:
     """
     A mixin class used to forward file methods to an underlaying file
author	Florian Apolloner <florian@apolloner.eu>	2021-04-14 18:23:44 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2021-05-04 08:44:42 +0200
commit	0b79eb36915d178aef5c6a7bbce71b1e76d376d3 (patch)
tree	ceb3f3df98ca1ee553f793121b6e43dc67ee2607 /django/core/files/utils.py
parent	8de4ca74ba49b3f97a252e2b9d385cb2e70c442c (diff)
download	django-0b79eb36915d178aef5c6a7bbce71b1e76d376d3.tar.gz