diff options
author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-03-16 10:19:00 +0100 |
---|---|---|
committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-04-06 08:15:17 +0200 |
commit | d4d800ca1addc4141e03c5440a849bb64d1582cd (patch) | |
tree | 802665675aaa43631494b7712c96fccc8af66b88 /tests/file_uploads/views.py | |
parent | 78fea27f690028204c03c28d821cb0c0240a7398 (diff) | |
download | django-d4d800ca1addc4141e03c5440a849bb64d1582cd.tar.gz |
Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files.
Thanks Claude Paroz for the initial patch.
Thanks Dennis Brinkrolf for the report.
Diffstat (limited to 'tests/file_uploads/views.py')
-rw-r--r-- | tests/file_uploads/views.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/tests/file_uploads/views.py b/tests/file_uploads/views.py index d521f001fe..50de6238b4 100644 --- a/tests/file_uploads/views.py +++ b/tests/file_uploads/views.py @@ -9,6 +9,7 @@ from .models import FileModel from .tests import UNICODE_FILENAME, UPLOAD_TO from .uploadhandler import ( ErroringUploadHandler, QuotaUploadHandler, StopUploadTemporaryFileHandler, + TraversalUploadHandler, ) @@ -162,3 +163,11 @@ def file_upload_fd_closing(request, access): if access == 't': request.FILES # Trigger file parsing. return HttpResponse() + + +def file_upload_traversal_view(request): + request.upload_handlers.insert(0, TraversalUploadHandler()) + request.FILES # Trigger file parsing. + return JsonResponse( + {'file_name': request.upload_handlers[0].file_name}, + ) |