#32718: [3.2.1] Issue with assigning file to FileField
-------------------------------------+-------------------------------------
Reporter: Jakub Kleň | Owner: nobody
Type: Bug | Status: new
Component: Database layer | Version: 2.2
(models, ORM) |
Severity: Release blocker | Resolution:
Keywords: 3.2.1 file model | Triage Stage: Accepted
filefield fieldfile |
Has patch: 1 | Needs documentation: 1
Needs tests: 1 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Florian Apolloner):
First off, can we please stop with arguments like "this will break
thousand installations". It is simply not true because I do not assume
that those installations will automatically update. And bumping the Django
dependency should result in your tests discovering the issue. If not, well
we are in the same boat, Django didn't catch it either even though our
test coverage is not that bad…
Replying to [comment:18 Brian Bouterse]:
> These two lines broke our application which uses the 2.2 LTS. Our
application is shipped, so that's thousands of installations out there all
with various Y versions of our software over the past few years. Even if
we can port our application to use the new `name=...` argument, we would
have to backport and release many older versions, or force our userbase to
upgrade. I agree with @cardem; I see the impact of these two lines as
huge.
I fully understand that this change might have impacts for you. That said,
assume this was a different security fix, all your users would have to
upgrade anyways; how is it much different whether the upgrade just Django
or your app + Django? Please be aware that literally every point release
has the possibility to break your app because you might have used some
undocumented feature. I am trying to understand how your normal upgrade
process looks like.
> Can someone identify what is the motivation for having these two lines?
I don't see how they are required for the CVE, but even if they are, since
the CVE is graded as low, is this appropriate for the LTS?
It is an in-depth defense against path traversal issues inside MEDIA_ROOT.
The CVE could have been worded differently, sorry about that. The fallout
seems to be larger than expected. That said, please be aware that we do
develop security fixes in private (in a rather small group) to not allow
early exploits. As such issues & mistakes like this are more likely to
occur with security fixes than with regular fixes (where there is at least
the chance of a larger review). As for whether or not this is appropriate
for a LTS. The point of a LTS is exactly to get those security fixes (and
a few normal high profile issues). Depending on how exactly your
application works, this low issue could just as well be a high for you
(although many things have to go wrong for that).
> One of my other concerns is that what I see happening is folks are
pinning to 2.2.20, which is going to prevent them from receiving the
moderate CVE fix for Python 3.9 environments with 2.2.22.
That is fine, as with all things, we do recommend pinning. If one of the
versions causes problems there is always the possibility to maintain your
own forks as needed or monkeypatch around issue. And yes I really think
people should have this as a last resort option because we simply cannot
be perfect and will fail from time to time. Rushing out a fix for this to
break yet another valid usecase will make things just worse.
> Thank you for all the effort you all put into Django. We couldn't do
what we do without you.
Thank you for the kind words. The are highly appreciated especially in
heated tickets like this one. As said above already I am having a
difficulty in reproducing all the mentioned problems. Some of the issues
mentioned (especially absolute path) occur for me even on unpatched Django
versions and I am yet trying to understand what the difference between our
systems is. The more we know the faster we can fix this.
--
Ticket URL: <https://code.djangoproject.com/ticket/32718#comment:19>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/064.a5ab149c41f8e31d306ac1562299a257%40djangoproject.com.
