Fixed CVE-2024-39330 -- Added extra file name validation in Storage's save method.

Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews.
2025-08-04 10:59:45 +00:00 · 2024-03-20 13:55:21 -03:00 · 2024-03-20 13:55:21 -03:00 · fe4a0bbe20
commit fe4a0bbe20
parent 5d86458579
7 changed files with 114 additions and 13 deletions
--- a/tests/file_uploads/tests.py
+++ b/tests/file_uploads/tests.py
@ -880,7 +880,7 @@ class DirectoryCreationTests(SimpleTestCase):
        default_storage.delete(UPLOAD_TO)
        # Create a file with the upload directory name
        with SimpleUploadedFile(UPLOAD_TO, b"x") as file:
-            default_storage.save(UPLOAD_TO, file)
+            default_storage.save(UPLOAD_FOLDER, file)
        self.addCleanup(default_storage.delete, UPLOAD_TO)
        msg = "%s exists and is not a directory." % UPLOAD_TO
        with self.assertRaisesMessage(FileExistsError, msg):