Fixed #23157 -- Removed O(n) algorithm when uploading duplicate file names.

This is a security fix. Disclosure following shortly.
2025-08-03 10:34:04 +00:00 · 2014-08-08 10:20:08 -04:00 · 2014-08-08 10:20:08 -04:00 · 0d8d30b7dd
commit 0d8d30b7dd
parent 28e765810d
8 changed files with 122 additions and 27 deletions
--- a/docs/ref/files/storage.txt
+++ b/docs/ref/files/storage.txt
@ -112,6 +112,18 @@ The Storage Class
        available for new content to be written to on the target storage
        system.

+        .. versionchanged:: 1.7
+
+        If a file with ``name`` already exists, an underscore plus a random 7
+        character alphanumeric string is appended to the filename before the
+        extension.
+
+        Previously, an underscore followed by a number (e.g. ``"_1"``, ``"_2"``,
+        etc.) was appended to the filename until an avaible name in the
+        destination directory was found. A malicious user could exploit this
+        deterministic algorithm to create a denial-of-service attack. This
+        change was also made in Django 1.6.6, 1.5.9, and 1.4.14.
+
    .. method:: get_valid_name(name)

        Returns a filename based on the ``name`` parameter that's suitable