Chris Lamb wrote: > 3. My candidate version causes the same regression in the > python-django-storages > testsuite previously observed. As Steve pointed out, though "there are > *already* changes in our version of django-storages that are clearly > expected to work with the fixes in django. But they're not.". I am > investigating this.
This turned out NOT to be a test-only problem — the Dropbox backend of django-storages will need to be updated or we might be breaking user's web services. The changes in our version of django-storages were not complete; or rather, long after those changes were committed, django-storages upstream worked with Django upstream after they identified a validation issue, leading to the very CVE (and changes in Django) that cause this regression: https://github.com/jschneier/django-storages/issues/1430#issuecomment-2219310781 The subsequent change to django-storages is a bit confusing to parse, as this took the form of reverting some removed code. But first, observe that upstream entirely removed the "get_available_name" method here: https://github.com/jschneier/django-storages/commit/a5319477473e5bab60b0d698e2a8127a8f750787#diff-ae567fb35986cceee2f0399f7be300078047a13c07299ef415971c7e2f786bbeL202-L207 ... and when they reverted it, they did so *without* re-including the call to self._full_path(name): https://github.com/jschneier/django-storages/pull/1484/changes#diff-ae567fb35986cceee2f0399f7be300078047a13c07299ef415971c7e2f786bbeR195 Thus, the change required to django-storages is as follows: diff -urNad a/storages/backends/dropbox.py b/storages/backends/dropbox.py --- a/storages/backends/dropbox.py 2026-01-28 15:16:12.506131883 -0800 +++ b/storages/backends/dropbox.py 2026-01-28 15:16:30.469908898 -0800 @@ -199,7 +199,6 @@ def get_available_name(self, name, max_length=None): """Overwrite existing file with the same name.""" - name = self._full_path(name) if self.write_mode == 'overwrite': return get_available_overwrite_name(name, max_length) return super().get_available_name(name, max_length) This patch is for the version in bookworm. Regards, -- ,''`. : :' : Chris Lamb `. `'` [email protected] 🍥 chris-lamb.co.uk `-
