From d4d800ca1addc4141e03c5440a849bb64d1582cd Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Tue, 16 Mar 2021 10:19:00 +0100 Subject: Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files. Thanks Claude Paroz for the initial patch. Thanks Dennis Brinkrolf for the report. --- tests/file_uploads/views.py | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'tests/file_uploads/views.py') diff --git a/tests/file_uploads/views.py b/tests/file_uploads/views.py index d521f001fe..50de6238b4 100644 --- a/tests/file_uploads/views.py +++ b/tests/file_uploads/views.py @@ -9,6 +9,7 @@ from .models import FileModel from .tests import UNICODE_FILENAME, UPLOAD_TO from .uploadhandler import ( ErroringUploadHandler, QuotaUploadHandler, StopUploadTemporaryFileHandler, + TraversalUploadHandler, ) @@ -162,3 +163,11 @@ def file_upload_fd_closing(request, access): if access == 't': request.FILES # Trigger file parsing. return HttpResponse() + + +def file_upload_traversal_view(request): + request.upload_handlers.insert(0, TraversalUploadHandler()) + request.FILES # Trigger file parsing. + return JsonResponse( + {'file_name': request.upload_handlers[0].file_name}, + ) -- cgit v1.2.1