Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.

author: Florian Apolloner <florian@apolloner.eu> 2021-04-14 18:23:44 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2021-05-04 08:44:42 +0200
commit: 0b79eb36915d178aef5c6a7bbce71b1e76d376d3 (patch)
tree: ceb3f3df98ca1ee553f793121b6e43dc67ee2607 /django/db/models/fields/files.py
parent: 8de4ca74ba49b3f97a252e2b9d385cb2e70c442c (diff)
download: django-0b79eb36915d178aef5c6a7bbce71b1e76d376d3.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/django/db/models/fields/files.py b/django/db/models/fields/files.py
index d410771cf3..a2f972489f 100644
--- a/django/db/models/fields/files.py
+++ b/django/db/models/fields/files.py
@@ -6,6 +6,7 @@ from django.core import checks
 from django.core.files.base import File
 from django.core.files.images import ImageFile
 from django.core.files.storage import Storage, default_storage
+from django.core.files.utils import validate_file_name
 from django.db.models import signals
 from django.db.models.fields import Field
 from django.db.models.query_utils import DeferredAttribute
@@ -312,6 +313,7 @@ class FileField(Field):
         Until the storage layer, all file paths are expected to be Unix style
         (with forward slashes).
         """
+        filename = validate_file_name(filename)
         if callable(self.upload_to):
             filename = self.upload_to(instance, filename)
         else:
author	Florian Apolloner <florian@apolloner.eu>	2021-04-14 18:23:44 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2021-05-04 08:44:42 +0200
commit	0b79eb36915d178aef5c6a7bbce71b1e76d376d3 (patch)
tree	ceb3f3df98ca1ee553f793121b6e43dc67ee2607 /django/db/models/fields/files.py
parent	8de4ca74ba49b3f97a252e2b9d385cb2e70c442c (diff)
download	django-0b79eb36915d178aef5c6a7bbce71b1e76d376d3.tar.gz