diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2021-04-14 18:23:44 +0200 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2021-05-04 08:44:42 +0200 |
| commit | 0b79eb36915d178aef5c6a7bbce71b1e76d376d3 (patch) | |
| tree | ceb3f3df98ca1ee553f793121b6e43dc67ee2607 /django/utils/text.py | |
| parent | 8de4ca74ba49b3f97a252e2b9d385cb2e70c442c (diff) | |
| download | django-0b79eb36915d178aef5c6a7bbce71b1e76d376d3.tar.gz | |
Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.
Diffstat (limited to 'django/utils/text.py')
| -rw-r--r-- | django/utils/text.py | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/django/utils/text.py b/django/utils/text.py index 7cc388f7fe..7f3368b16a 100644 --- a/django/utils/text.py +++ b/django/utils/text.py @@ -4,6 +4,7 @@ import unicodedata from gzip import GzipFile from io import BytesIO +from django.core.exceptions import SuspiciousFileOperation from django.utils.functional import SimpleLazyObject, keep_lazy_text, lazy from django.utils.regex_helper import _lazy_re_compile from django.utils.translation import gettext as _, gettext_lazy, pgettext @@ -221,7 +222,7 @@ class Truncator(SimpleLazyObject): @keep_lazy_text -def get_valid_filename(s): +def get_valid_filename(name): """ Return the given string converted to a string that can be used for a clean filename. Remove leading and trailing spaces; convert other spaces to @@ -230,8 +231,11 @@ def get_valid_filename(s): >>> get_valid_filename("john's portrait in 2004.jpg") 'johns_portrait_in_2004.jpg' """ - s = str(s).strip().replace(' ', '_') - return re.sub(r'(?u)[^-\w.]', '', s) + s = str(name).strip().replace(' ', '_') + s = re.sub(r'(?u)[^-\w.]', '', s) + if s in {'', '.', '..'}: + raise SuspiciousFileOperation("Could not derive file name from '%s'" % name) + return s @keep_lazy_text |