[Django] #35607: Improve Storage base backend API Flexibility
4 views
Skip to first unread message
Django
Jul 16, 2024, 10:39:56 AM (yesterday) Jul 16
to django-...@googlegroups.com
#35607: Improve Storage base backend API Flexibility
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type:
| Cleanup/optimization
Status: new | Component: Core
| (Other)
Version: | Severity: Normal
Keywords: storages | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Currently, Django's Storage base backend API provides limited flexibility
with regards to customization, particularly concerning filename
validation. This rigidity has historically led to challenges and security
concerns. See for example [https://nvd.nist.gov/vuln/detail/CVE-2024-39330
CVE-2024-39330], [https://nvd.nist.gov/vuln/detail/CVE-2021-45452
CVE-2021-45452], and [https://nvd.nist.gov/vuln/detail/CVE-2021-31542
CVE-2021-31542].
To address this, I'm proposing revisiting and enhancing the public API of
storage backends to support customizable validation methods. This was also
discussed internally in the Django Security mailing list. This public
validation method would provide a default implementation very similar to
the current validations, and should be used to replace the ad-hoc
validations being done in save, generate_filename, and get_available_name.
--
Ticket URL: <https://code.djangoproject.com/ticket/35607>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Type:
| Cleanup/optimization
Status: new | Component: Core
| (Other)
Version: | Severity: Normal
Keywords: storages | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Currently, Django's Storage base backend API provides limited flexibility
with regards to customization, particularly concerning filename
validation. This rigidity has historically led to challenges and security
concerns. See for example [https://nvd.nist.gov/vuln/detail/CVE-2024-39330
CVE-2024-39330], [https://nvd.nist.gov/vuln/detail/CVE-2021-45452
CVE-2021-45452], and [https://nvd.nist.gov/vuln/detail/CVE-2021-31542
CVE-2021-31542].
To address this, I'm proposing revisiting and enhancing the public API of
storage backends to support customizable validation methods. This was also
discussed internally in the Django Security mailing list. This public
validation method would provide a default implementation very similar to
the current validations, and should be used to replace the ad-hoc
validations being done in save, generate_filename, and get_available_name.
--
Ticket URL: <https://code.djangoproject.com/ticket/35607>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Reply all
Reply to author
Forward
0 new messages