Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.

1 files changed, 18 insertions, 4 deletions

diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py
index 180a533bb6..f464caa1b4 100644
--- a/django/http/multipartparser.py
+++ b/django/http/multipartparser.py
@@ -9,7 +9,6 @@ import binascii
 import cgi
 import collections
 import html
-import os
 from urllib.parse import unquote
 
 from django.conf import settings
@@ -306,10 +305,25 @@ class MultiPartParser:
                 break
 
     def sanitize_file_name(self, file_name):
+        """
+        Sanitize the filename of an upload.
+
+        Remove all possible path separators, even though that might remove more
+        than actually required by the target system. Filenames that could
+        potentially cause problems (current/parent dir) are also discarded.
+
+        It should be noted that this function could still return a "filepath"
+        like "C:some_file.txt" which is handled later on by the storage layer.
+        So while this function does sanitize filenames to some extent, the
+        resulting filename should still be considered as untrusted user input.
+        """
         file_name = html.unescape(file_name)
-        # Cleanup Windows-style path separators.
-        file_name = file_name[file_name.rfind('\\') + 1:].strip()
-        return os.path.basename(file_name)
+        file_name = file_name.rsplit('/')[-1]
+        file_name = file_name.rsplit('\\')[-1]
+
+        if file_name in {'', '.', '..'}:
+            return None
+        return file_name
 
     IE_sanitize = sanitize_file_name