Hey Chris, and well done for tracking this down! On Wed, Jan 28, 2026 at 03:28:29PM -0800, Chris Lamb wrote: >Chris Lamb wrote: > >> 3. My candidate version causes the same regression in the >> python-django-storages >> testsuite previously observed. As Steve pointed out, though "there are >> *already* changes in our version of django-storages that are clearly >> expected to work with the fixes in django. But they're not.". I am >> investigating this. > >This turned out NOT to be a test-only problem — the Dropbox backend >of django-storages will need to be updated or we might be breaking >user's web services. > >The changes in our version of django-storages were not complete; >or rather, long after those changes were committed, django-storages >upstream worked with Django upstream after they identified a >validation issue, leading to the very CVE (and changes in Django) >that cause this regression: > > https://github.com/jschneier/django-storages/issues/1430#issuecomment-2219310781 > >The subsequent change to django-storages is a bit confusing to parse, >as this took the form of reverting some removed code. But first, >observe that upstream entirely removed the "get_available_name" method here: > > > https://github.com/jschneier/django-storages/commit/a5319477473e5bab60b0d698e2a8127a8f750787#diff-ae567fb35986cceee2f0399f7be300078047a13c07299ef415971c7e2f786bbeL202-L207 > >... and when they reverted it, they did so *without* re-including >the call to self._full_path(name): > > > https://github.com/jschneier/django-storages/pull/1484/changes#diff-ae567fb35986cceee2f0399f7be300078047a13c07299ef415971c7e2f786bbeR195 > >Thus, the change required to django-storages is as follows: > > diff -urNad a/storages/backends/dropbox.py b/storages/backends/dropbox.py > --- a/storages/backends/dropbox.py 2026-01-28 15:16:12.506131883 -0800 > +++ b/storages/backends/dropbox.py 2026-01-28 15:16:30.469908898 -0800 > @@ -199,7 +199,6 @@ > > def get_available_name(self, name, max_length=None): > """Overwrite existing file with the same name.""" > - name = self._full_path(name) > if self.write_mode == 'overwrite': > return get_available_overwrite_name(name, max_length) > return super().get_available_name(name, max_length) > >This patch is for the version in bookworm.
\o/ -- Steve McIntyre, Cambridge, UK. [email protected] Welcome my son, welcome to the machine.
