[Django] #35817: Regression in default_storage.save(path, source)
4 views
Skip to first unread message
Django
Oct 7, 2024, 3:41:55 AM10/7/24
to django-...@googlegroups.com
#35817: Regression in default_storage.save(path, source)
-----------------------+------------------------------------------------
Reporter: Caram | Type: Bug
Status: new | Component: File uploads/storage
Version: 5.1 | Severity: Release blocker
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------+------------------------------------------------
I've just upgraded from 5.0.1 to 5.1 and my users have just been hit by
this regression/feature in `django/core/files/storage/base.py`.
2 new calls have been made to `validate_file_name()` inside `save()`. And
this checks in particular that the path is not absolute - which it is in
my case and it needs to be so, because I'm (intentionally) saving files to
a different part of the filesystem.
This code had been working fine for ages and now it's broken.
Here is I believe a link to the culprit patch:
https://github.com/django/django/commit/fe4a0bbe2088d0c2b331216dad21ccd0bb3ee80d
#diff-2f8524035203a28c596eb210d5b886a12d5a46215a649bee85f9987cc335d128L36
--
Ticket URL: <https://code.djangoproject.com/ticket/35817>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-----------------------+------------------------------------------------
Reporter: Caram | Type: Bug
Status: new | Component: File uploads/storage
Version: 5.1 | Severity: Release blocker
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------+------------------------------------------------
I've just upgraded from 5.0.1 to 5.1 and my users have just been hit by
this regression/feature in `django/core/files/storage/base.py`.
2 new calls have been made to `validate_file_name()` inside `save()`. And
this checks in particular that the path is not absolute - which it is in
my case and it needs to be so, because I'm (intentionally) saving files to
a different part of the filesystem.
This code had been working fine for ages and now it's broken.
Here is I believe a link to the culprit patch:
https://github.com/django/django/commit/fe4a0bbe2088d0c2b331216dad21ccd0bb3ee80d
#diff-2f8524035203a28c596eb210d5b886a12d5a46215a649bee85f9987cc335d128L36
--
Ticket URL: <https://code.djangoproject.com/ticket/35817>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Oct 7, 2024, 3:47:31 AM10/7/24
to django-...@googlegroups.com
#35817: Regression in default_storage.save(path, source)
-------------------------------------+-------------------------------------
Reporter: Caram | Owner: (none)
Type: Bug | Status: new
Component: File | Version: 5.1
uploads/storage |
Severity: Release blocker | Resolution:
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Caram):
Actually this was introduced in 5.0.7: CVE-2024-39330: Potential
directory-traversal via `Storage.save()`
--
Ticket URL: <https://code.djangoproject.com/ticket/35817#comment:1>
Django
Oct 7, 2024, 8:39:16 AM10/7/24
to django-...@googlegroups.com
#35817: Regression in default_storage.save(path, source)
-------------------------------------+-------------------------------------
Reporter: Caram | Owner: (none)
Type: Bug | Status: closed
-------------------------------------+-------------------------------------
Reporter: Caram | Owner: (none)
Component: File | Version: 5.1
uploads/storage |
Severity: Normal | Resolution: wontfix
uploads/storage |
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* resolution: => wontfix
* severity: Release blocker => Normal
* status: new => closed
Comment:
Hello Caram,
As you have correctly found, this was indeed a security fix applied to all
supported Django versions. The description of the issue was posted in
https://www.djangoproject.com/weblog/2024/jul/09/security-releases/. This
fix provides enhanced security and avoid potential path traversals in file
storages.
We will not revert the security fix for the reasons stated in the post.
What you could do is to use relative paths in the `save` call and make
those paths absolute inside the `_save` method, just like the provided
`FileSystemStorage` do (see the
[https://github.com/django/django/blob/main/django/core/files/storage/filesystem.py#L83
full_path call]). Another example of a well known storage doing this
(mapping between absolute and relative paths, see
[https://github.com/jschneier/django-
storages/blob/master/storages/backends/dropbox.py#L119 _full_path]) is the
`DropboxStorage` in `django-storages`.
--
Ticket URL: <https://code.djangoproject.com/ticket/35817#comment:2>
Reply all
Reply to author
Forward
0 new messages