Fixed #32718 -- Relaxed file name validation in FileField.

- Validate filename returned by FileField.upload_to() not a filename passed to the FileField.generate_filename() (upload_to() may completely ignored passed filename). - Allow relative paths (without dot segments) in the generated filename. Thanks to Jakub Kleň for the report and review. Thanks to all folks for checking this patch on existing projects. Thanks Florian Apolloner and Markus Holtermann for the discussion and implementation idea. Regression in 0b79eb3691.
2025-08-30 23:37:50 +00:00 · 2021-05-13 08:53:44 +02:00 · 2021-05-13 08:53:44 +02:00 · b55699968f
commit b55699968f
parent b81c7562fc
8 changed files with 140 additions and 17 deletions
--- a/tests/model_fields/test_filefield.py
+++ b/tests/model_fields/test_filefield.py
@ -5,6 +5,7 @@ import tempfile
 import unittest
 from pathlib import Path

+from django.core.exceptions import SuspiciousFileOperation
 from django.core.files import File, temp
 from django.core.files.base import ContentFile
 from django.core.files.uploadedfile import TemporaryUploadedFile
@ -63,6 +64,15 @@ class FileFieldTests(TestCase):
        d.refresh_from_db()
        self.assertIs(d.myfile.instance, d)

+    @unittest.skipIf(sys.platform == 'win32', "Crashes with OSError on Windows.")
+    def test_save_without_name(self):
+        with tempfile.NamedTemporaryFile(suffix='.txt') as tmp:
+            document = Document.objects.create(myfile='something.txt')
+            document.myfile = File(tmp)
+            msg = f"Detected path traversal attempt in '{tmp.name}'"
+            with self.assertRaisesMessage(SuspiciousFileOperation, msg):
+                document.save()
+
    def test_defer(self):
        Document.objects.create(myfile='something.txt')
        self.assertEqual(Document.objects.defer('myfile')[0].myfile, 'something.txt')