#37081: loaddata fails when a directory in the fixture path contains a dot
-------------------------------------+-------------------------------------
Reporter: Alisson Silveira | Owner: Alisson
| Silveira
Type: Bug | Status: assigned
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Raffaella):
Replying to [comment:4 Sarah Boyce]:
> Thank you! I think this is a bug worth addressing.
> My only concern was whether this could create any path traversal issues
allowing something like `fixtures/../secret.json` but I think this would
be out of the scope of security issues anyway. See
https://docs.djangoproject.com/en/6.0/internals/security/#how-does-django-
evaluate-a-report
Thank you Sarah for addressing this. I was following your suggestion and I
wrote this test:
{{{#!python
from django.core.management.commands.loaddata import Command
from django.core import serializers
from django.test import SimpleTestCase
class ParseNameTests(SimpleTestCase):
def setUp(self):
self.command = Command()
self.command.serialization_formats =
serializers.get_public_serializer_formats()
def test_parent_traversal_no_longer_raises(self):
name, ser_fmt, cmp_fmt = self.command.parse_name("../secret")
self.assertEqual(name, "../secret")
self.assertIsNone(ser_fmt)
self.assertIsNone(cmp_fmt)
}}}
This test passes with the `PurePath` fix. Without it,
`parse_name("../secret")` used to raise `CommandError` but only by
accident: the dots in `".."` get treated as format delimiters, triggering
the same "unknown serialization format" error this ticket is about but for
a different reason.
Note that a fixture name with an explicit extension, e.g.
`"../secret.json"`, is already parsed correctly even without this fix.
Even though this isn't a blocker, I think it's worth highlighting.
--
Ticket URL: <
https://code.djangoproject.com/ticket/37081#comment:7>