Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files.

Thanks Claude Paroz for the initial patch. Thanks Dennis Brinkrolf for the report.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2021-03-16 10:19:00 +0100
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2021-04-06 08:15:17 +0200
commit: d4d800ca1addc4141e03c5440a849bb64d1582cd (patch)
tree: 802665675aaa43631494b7712c96fccc8af66b88 /tests/file_uploads/views.py
parent: 78fea27f690028204c03c28d821cb0c0240a7398 (diff)
download: django-d4d800ca1addc4141e03c5440a849bb64d1582cd.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/tests/file_uploads/views.py b/tests/file_uploads/views.py
index d521f001fe..50de6238b4 100644
--- a/tests/file_uploads/views.py
+++ b/tests/file_uploads/views.py
@@ -9,6 +9,7 @@ from .models import FileModel
 from .tests import UNICODE_FILENAME, UPLOAD_TO
 from .uploadhandler import (
     ErroringUploadHandler, QuotaUploadHandler, StopUploadTemporaryFileHandler,
+    TraversalUploadHandler,
 )
 
 
@@ -162,3 +163,11 @@ def file_upload_fd_closing(request, access):
     if access == 't':
         request.FILES  # Trigger file parsing.
     return HttpResponse()
+
+
+def file_upload_traversal_view(request):
+    request.upload_handlers.insert(0, TraversalUploadHandler())
+    request.FILES  # Trigger file parsing.
+    return JsonResponse(
+        {'file_name': request.upload_handlers[0].file_name},
+    )
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2021-03-16 10:19:00 +0100
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2021-04-06 08:15:17 +0200
commit	d4d800ca1addc4141e03c5440a849bb64d1582cd (patch)
tree	802665675aaa43631494b7712c96fccc8af66b88 /tests/file_uploads/views.py
parent	78fea27f690028204c03c28d821cb0c0240a7398 (diff)
download	django-d4d800ca1addc4141e03c5440a849bb64d1582cd.tar.gz