File CVE-2021-31542.patch of Package python-Django
commit 8f122c009eb4ade5d253504035df1fa5850a076e
Author: Florian Apolloner <florian@apolloner.eu>
Date: Wed Apr 14 18:23:44 2021 +0200
[2.2.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads.
(cherry picked from commit 04ac1624bdc2fa737188401757cf95ced122d26d)
(cherry picked from commit c2c3c23bdeacea4d5f78892f94270068870d6a54)
diff --git a/django/core/files/storage.py b/django/core/files/storage.py
index df92f0af8a28..6e27ade9b7d7 100644
--- a/django/core/files/storage.py
+++ b/django/core/files/storage.py
@@ -1,5 +1,6 @@
import errno
import os
+import pathlib
import warnings
from datetime import datetime
@@ -7,6 +8,7 @@ from django.conf import settings
from django.core.exceptions import SuspiciousFileOperation
from django.core.files import File, locks
from django.core.files.move import file_move_safe
+from django.core.files.utils import validate_file_name
from django.utils._os import abspathu, safe_join
from django.utils.crypto import get_random_string
from django.utils.deconstruct import deconstructible
@@ -77,6 +79,9 @@ class Storage(object):
available for new content to be written to.
"""
dir_name, file_name = os.path.split(name)
+ if '..' in pathlib.PurePath(dir_name).parts:
+ raise SuspiciousFileOperation("Detected path traversal attempt in '%s'" % dir_name)
+ validate_file_name(file_name)
file_root, file_ext = os.path.splitext(file_name)
# If the filename already exists, add an underscore and a random 7
# character alphanumeric string (before the file extension, if one
@@ -109,6 +114,8 @@ class Storage(object):
"""
# `filename` may include a path as returned by FileField.upload_to.
dirname, filename = os.path.split(filename)
+ if '..' in pathlib.PurePath(dirname).parts:
+ raise SuspiciousFileOperation("Detected path traversal attempt in '%s'" % dirname)
return os.path.normpath(os.path.join(dirname, self.get_valid_name(filename)))
def path(self, name):
diff --git a/django/core/files/uploadedfile.py b/django/core/files/uploadedfile.py
index 20eaecea755d..bcd438d39337 100644
--- a/django/core/files/uploadedfile.py
+++ b/django/core/files/uploadedfile.py
@@ -9,6 +9,7 @@ from io import BytesIO
from django.conf import settings
from django.core.files import temp as tempfile
from django.core.files.base import File
+from django.core.files.utils import validate_file_name
from django.utils.encoding import force_str
__all__ = ('UploadedFile', 'TemporaryUploadedFile', 'InMemoryUploadedFile',
@@ -51,6 +52,8 @@ class UploadedFile(File):
ext = ext[:255]
name = name[:255 - len(ext)] + ext
+ name = validate_file_name(name)
+
self._name = name
name = property(_get_name, _set_name)
diff --git a/django/core/files/utils.py b/django/core/files/utils.py
index 8cc212fe1fae..1e14c677edae 100644
--- a/django/core/files/utils.py
+++ b/django/core/files/utils.py
@@ -1,3 +1,19 @@
+import os
+
+from django.core.exceptions import SuspiciousFileOperation
+
+
+def validate_file_name(name):
+ if name != os.path.basename(name):
+ raise SuspiciousFileOperation("File name '%s' includes path elements" % name)
+
+ # Remove potentially dangerous names
+ if name in {'', '.', '..'}:
+ raise SuspiciousFileOperation("Could not derive file name from '%s'" % name)
+
+ return name
+
+
class FileProxyMixin(object):
"""
A mixin class used to forward file methods to an underlaying file
diff --git a/django/db/models/fields/files.py b/django/db/models/fields/files.py
index 20374ba8e69a..011a0040bf7e 100644
--- a/django/db/models/fields/files.py
+++ b/django/db/models/fields/files.py
@@ -8,6 +8,7 @@ from django.core import checks
from django.core.files.base import File
from django.core.files.images import ImageFile
from django.core.files.storage import default_storage
+from django.core.files.utils import validate_file_name
from django.db.models import signals
from django.db.models.fields import Field
from django.utils import six
@@ -343,6 +344,7 @@ class FileField(Field):
Until the storage layer, all file paths are expected to be Unix style
(with forward slashes).
"""
+ filename = validate_file_name(filename)
if callable(self.upload_to):
filename = self.upload_to(instance, filename)
else:
diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py
index 176f953b5cd3..396a2bcd995a 100644
--- a/django/http/multipartparser.py
+++ b/django/http/multipartparser.py
@@ -9,7 +9,7 @@ from __future__ import unicode_literals
import base64
import binascii
import cgi
-import os
+import HTMLParser
import sys
from django.conf import settings
@@ -21,7 +21,6 @@ from django.utils import six
from django.utils.datastructures import MultiValueDict
from django.utils.encoding import force_text
from django.utils.six.moves.urllib.parse import unquote
-from django.utils.text import unescape_entities
__all__ = ('MultiPartParser', 'MultiPartParserError', 'InputStreamExhausted')
@@ -277,10 +276,25 @@ class MultiPartParser(object):
break
def sanitize_file_name(self, file_name):
- file_name = unescape_entities(file_name)
- # Cleanup Windows-style path separators.
- file_name = file_name[file_name.rfind('\\') + 1:].strip()
- return os.path.basename(file_name)
+ """
+ Sanitize the filename of an upload.
+
+ Remove all possible path separators, even though that might remove more
+ than actually required by the target system. Filenames that could
+ potentially cause problems (current/parent dir) are also discarded.
+
+ It should be noted that this function could still return a "filepath"
+ like "C:some_file.txt" which is handled later on by the storage layer.
+ So while this function does sanitize filenames to some extent, the
+ resulting filename should still be considered as untrusted user input.
+ """
+ file_name = HTMLParser.HTMLParser().unescape(file_name)
+ file_name = file_name.rsplit('/')[-1]
+ file_name = file_name.rsplit('\\')[-1]
+
+ if file_name in {'', '.', '..'}:
+ return None
+ return file_name
IE_sanitize = sanitize_file_name
diff --git a/django/utils/text.py b/django/utils/text.py
index db7b5e00ad0c..fad5b18818c1 100644
--- a/django/utils/text.py
+++ b/django/utils/text.py
@@ -6,6 +6,7 @@ import warnings
from gzip import GzipFile
from io import BytesIO
+from django.core.exceptions import SuspiciousFileOperation
from django.utils import six
from django.utils.deprecation import RemovedInDjango19Warning
from django.utils.encoding import force_text
@@ -231,7 +232,7 @@ class Truncator(SimpleLazyObject):
return out
-def get_valid_filename(s):
+def get_valid_filename(name):
"""
Returns the given string converted to a string that can be used for a clean
filename. Specifically, leading and trailing spaces are removed; other
@@ -240,8 +241,11 @@ def get_valid_filename(s):
>>> get_valid_filename("john's portrait in 2004.jpg")
'johns_portrait_in_2004.jpg'
"""
- s = force_text(s).strip().replace(' ', '_')
- return re.sub(r'(?u)[^-\w.]', '', s)
+ s = str(name).strip().replace(' ', '_')
+ s = re.sub(r'(?u)[^-\w.]', '', s)
+ if s in {'', '.', '..'}:
+ raise SuspiciousFileOperation("Could not derive file name from '%s'" % name)
+ return s
get_valid_filename = allow_lazy(get_valid_filename, six.text_type)
diff --git a/docs/releases/2.2.21.txt b/docs/releases/2.2.21.txt
new file mode 100644
index 000000000000..f32aeadff767
--- /dev/null
+++ b/docs/releases/2.2.21.txt
@@ -0,0 +1,17 @@
+===========================
+Django 2.2.21 release notes
+===========================
+
+*May 4, 2021*
+
+Django 2.2.21 fixes a security issue in 2.2.20.
+
+CVE-2021-31542: Potential directory-traversal via uploaded files
+================================================================
+
+``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed
+directory-traversal via uploaded files with suitably crafted file names.
+
+In order to mitigate this risk, stricter basename and path sanitation is now
+applied. Specifically, empty file names and paths with dot segments will be
+rejected.
diff --git a/tests/file_storage/test_generate_filename.py b/tests/file_storage/test_generate_filename.py
index 44320138509b..6f79da39278e 100644
--- a/tests/file_storage/test_generate_filename.py
+++ b/tests/file_storage/test_generate_filename.py
@@ -1,8 +1,9 @@
import os
import warnings
+from django.core.exceptions import SuspiciousFileOperation
from django.core.files.base import ContentFile
-from django.core.files.storage import Storage
+from django.core.files.storage import FileSystemStorage, Storage
from django.db.models import FileField
from django.test import SimpleTestCase
@@ -37,6 +38,44 @@ class AWSS3Storage(Storage):
class GenerateFilenameStorageTests(SimpleTestCase):
+ def test_storage_dangerous_paths(self):
+ candidates = [
+ ('/tmp/..', '..'),
+ ('/tmp/.', '.'),
+ ('', ''),
+ ]
+ s = FileSystemStorage()
+ msg = "Could not derive file name from '%s'"
+ for file_name, base_name in candidates:
+ with self.subTest(file_name=file_name):
+ with self.assertRaisesMessage(SuspiciousFileOperation, msg % base_name):
+ s.get_available_name(file_name)
+ with self.assertRaisesMessage(SuspiciousFileOperation, msg % base_name):
+ s.generate_filename(file_name)
+
+ def test_storage_dangerous_paths_dir_name(self):
+ file_name = '/tmp/../path'
+ s = FileSystemStorage()
+ msg = "Detected path traversal attempt in '/tmp/..'"
+ with self.assertRaisesMessage(SuspiciousFileOperation, msg):
+ s.get_available_name(file_name)
+ with self.assertRaisesMessage(SuspiciousFileOperation, msg):
+ s.generate_filename(file_name)
+
+ def test_filefield_dangerous_filename(self):
+ candidates = ['..', '.', '', '???', '$.$.$']
+ f = FileField(upload_to='some/folder/')
+ msg = "Could not derive file name from '%s'"
+ for file_name in candidates:
+ with self.subTest(file_name=file_name):
+ with self.assertRaisesMessage(SuspiciousFileOperation, msg % file_name):
+ f.generate_filename(None, file_name)
+
+ def test_filefield_dangerous_filename_dir(self):
+ f = FileField(upload_to='some/folder/')
+ msg = "File name '/tmp/path' includes path elements"
+ with self.assertRaisesMessage(SuspiciousFileOperation, msg):
+ f.generate_filename(None, '/tmp/path')
def test_filefield_get_directory_deprecation(self):
with warnings.catch_warnings(record=True) as warns:
diff --git a/tests/file_uploads/tests.py b/tests/file_uploads/tests.py
index d08bc8016eda..fbda6995021b 100644
--- a/tests/file_uploads/tests.py
+++ b/tests/file_uploads/tests.py
@@ -10,8 +10,9 @@ import shutil
import tempfile as sys_tempfile
import unittest
+from django.core.exceptions import SuspiciousFileOperation
from django.core.files import temp as tempfile
-from django.core.files.uploadedfile import SimpleUploadedFile
+from django.core.files.uploadedfile import SimpleUploadedFile, UploadedFile
from django.http.multipartparser import MultiPartParser, parse_header
from django.test import TestCase, client, override_settings
from django.utils.encoding import force_bytes
@@ -40,6 +41,16 @@ CANDIDATE_TRAVERSAL_FILE_NAMES = [
'../hax0rd.txt', # HTML entities.
]
+CANDIDATE_INVALID_FILE_NAMES = [
+ '/tmp/', # Directory, *nix-style.
+ 'c:\\tmp\\', # Directory, win-style.
+ '/tmp/.', # Directory dot, *nix-style.
+ 'c:\\tmp\\.', # Directory dot, *nix-style.
+ '/tmp/..', # Parent directory, *nix-style.
+ 'c:\\tmp\\..', # Parent directory, win-style.
+ '', # Empty filename.
+]
+
@override_settings(MEDIA_ROOT=MEDIA_ROOT, ROOT_URLCONF='file_uploads.urls', MIDDLEWARE_CLASSES=())
class FileUploadTests(TestCase):
@@ -55,6 +66,22 @@ class FileUploadTests(TestCase):
shutil.rmtree(MEDIA_ROOT)
super(FileUploadTests, cls).tearDownClass()
+ def test_upload_name_is_validated(self):
+ candidates = [
+ '/tmp/',
+ '/tmp/..',
+ '/tmp/.',
+ ]
+ if sys.platform == 'win32':
+ candidates.extend([
+ 'c:\\tmp\\',
+ 'c:\\tmp\\..',
+ 'c:\\tmp\\.',
+ ])
+ for file_name in candidates:
+ with self.subTest(file_name=file_name):
+ self.assertRaises(SuspiciousFileOperation, UploadedFile, name=file_name)
+
def test_simple_upload(self):
with open(__file__, 'rb') as fp:
post_data = {
@@ -638,6 +665,15 @@ class MultiParserTests(unittest.TestCase):
with self.subTest(file_name=file_name):
self.assertEqual(parser.sanitize_file_name(file_name), 'hax0rd.txt')
+ def test_sanitize_invalid_file_name(self):
+ parser = MultiPartParser({
+ 'CONTENT_TYPE': 'multipart/form-data; boundary=_foo',
+ 'CONTENT_LENGTH': '1',
+ }, StringIO('x'), [], 'utf-8')
+ for file_name in CANDIDATE_INVALID_FILE_NAMES:
+ with self.subTest(file_name=file_name):
+ self.assertIsNone(parser.sanitize_file_name(file_name))
+
def test_rfc2231_parsing(self):
test_data = (
(b"Content-Type: application/x-stuff; title*=us-ascii'en-us'This%20is%20%2A%2A%2Afun%2A%2A%2A",
diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py
index 5fe66e7b900b..c3dcbf42f8fd 100644
--- a/tests/utils_tests/test_text.py
+++ b/tests/utils_tests/test_text.py
@@ -5,6 +5,7 @@ import json
import warnings
from unittest import skipUnless
+from django.core.exceptions import SuspiciousFileOperation
from django.test import SimpleTestCase, ignore_warnings
from django.test.utils import reset_warning_registry
from django.utils import six, text
@@ -217,6 +218,13 @@ class TestUtilsText(SimpleTestCase):
def test_get_valid_filename(self):
filename = "^&'@{}[],$=!-#()%+~_123.txt"
self.assertEqual(text.get_valid_filename(filename), "-_123.txt")
+ msg = "Could not derive file name from '???'"
+ with self.assertRaisesMessage(SuspiciousFileOperation, msg):
+ text.get_valid_filename('???')
+ # After sanitizing this would yield '..'.
+ msg = "Could not derive file name from '$.$.$'"
+ with self.assertRaisesMessage(SuspiciousFileOperation, msg):
+ text.get_valid_filename('$.$.$')
def test_compress_sequence(self):
data = [{'key': i} for i in range(10)]
