diff options
author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-05-13 08:53:44 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-05-13 08:53:44 +0200 |
commit | b55699968fc9ee985384c64e37f6cc74a0a23683 (patch) | |
tree | ec84729969a2c35777792ef5ca2df54d238391ff /tests/model_fields | |
parent | b81c7562fc33f50166d5120138d6398dc42b13c3 (diff) | |
download | django-b55699968fc9ee985384c64e37f6cc74a0a23683.tar.gz |
Fixed #32718 -- Relaxed file name validation in FileField.
- Validate filename returned by FileField.upload_to() not a filename
passed to the FileField.generate_filename() (upload_to() may
completely ignored passed filename).
- Allow relative paths (without dot segments) in the generated filename.
Thanks to Jakub Kleň for the report and review.
Thanks to all folks for checking this patch on existing projects.
Thanks Florian Apolloner and Markus Holtermann for the discussion and
implementation idea.
Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3.
Diffstat (limited to 'tests/model_fields')
-rw-r--r-- | tests/model_fields/test_filefield.py | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/tests/model_fields/test_filefield.py b/tests/model_fields/test_filefield.py index 51e29f6d25..fb9426e2d1 100644 --- a/tests/model_fields/test_filefield.py +++ b/tests/model_fields/test_filefield.py @@ -5,6 +5,7 @@ import tempfile import unittest from pathlib import Path +from django.core.exceptions import SuspiciousFileOperation from django.core.files import File, temp from django.core.files.base import ContentFile from django.core.files.uploadedfile import TemporaryUploadedFile @@ -63,6 +64,15 @@ class FileFieldTests(TestCase): d.refresh_from_db() self.assertIs(d.myfile.instance, d) + @unittest.skipIf(sys.platform == 'win32', "Crashes with OSError on Windows.") + def test_save_without_name(self): + with tempfile.NamedTemporaryFile(suffix='.txt') as tmp: + document = Document.objects.create(myfile='something.txt') + document.myfile = File(tmp) + msg = f"Detected path traversal attempt in '{tmp.name}'" + with self.assertRaisesMessage(SuspiciousFileOperation, msg): + document.save() + def test_defer(self): Document.objects.create(myfile='something.txt') self.assertEqual(Document.objects.defer('myfile')[0].myfile, 'something.txt') |