diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-03-16 10:19:00 +0100 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-04-06 08:15:17 +0200 |
| commit | d4d800ca1addc4141e03c5440a849bb64d1582cd (patch) | |
| tree | 802665675aaa43631494b7712c96fccc8af66b88 /django/http/multipartparser.py | |
| parent | 78fea27f690028204c03c28d821cb0c0240a7398 (diff) | |
| download | django-d4d800ca1addc4141e03c5440a849bb64d1582cd.tar.gz | |
Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files.
Thanks Claude Paroz for the initial patch.
Thanks Dennis Brinkrolf for the report.
Diffstat (limited to 'django/http/multipartparser.py')
| -rw-r--r-- | django/http/multipartparser.py | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py index 8078393a66..180a533bb6 100644 --- a/django/http/multipartparser.py +++ b/django/http/multipartparser.py @@ -212,9 +212,8 @@ class MultiPartParser: # This is a file, use the handler... file_name = disposition.get('filename') if file_name: - file_name = os.path.basename(file_name) file_name = force_str(file_name, encoding, errors='replace') - file_name = self.IE_sanitize(html.unescape(file_name)) + file_name = self.sanitize_file_name(file_name) if not file_name: continue @@ -306,9 +305,13 @@ class MultiPartParser: self._files.appendlist(force_str(old_field_name, self._encoding, errors='replace'), file_obj) break - def IE_sanitize(self, filename): - """Cleanup filename from Internet Explorer full paths.""" - return filename and filename[filename.rfind("\\") + 1:].strip() + def sanitize_file_name(self, file_name): + file_name = html.unescape(file_name) + # Cleanup Windows-style path separators. + file_name = file_name[file_name.rfind('\\') + 1:].strip() + return os.path.basename(file_name) + + IE_sanitize = sanitize_file_name def _close_files(self): # Free up all file handles. |