#32718: [3.2.1] Issue with assigning file to FileField -------------------------------------+------------------------------------- Reporter: Jakub Kleň | Owner: nobody Type: Bug | Status: new Component: Database layer | Version: 2.2 (models, ORM) | Severity: Release blocker | Resolution: Keywords: 3.2.1 file model | Triage Stage: Accepted filefield fieldfile | Has patch: 1 | Needs documentation: 1 Needs tests: 1 | Patch needs improvement: 1 Easy pickings: 0 | UI/UX: 0 -------------------------------------+-------------------------------------
Comment (by Jakub Kleň): Replying to [comment:22 carderm]: > I believe an absolute path outside of Media Root should fail, that is correct (in my opinion) - as an **absolute** path might be able to write shell scripts around the file system... > > It should however, work for a **relative** file path. > > **Hack example here** > > {{{ > # Some model > class FileModel(models.Model): > file_field = models.FileField(_('UsersFile'), storage='users', max_length=1000) > > model_inst = FileModel() > > # Add some file > new_file = ContentFile(some_file.read()) > new_file.name = f"{user.name}/file.txt" # E.g. "steve/file.txt" <<< This file should only be for 'steve' > model_inst.file = new_file > > # Save the Model > model_inst.save() #<<< in Django 3.2.0 this creates file "MEDIA_ROOT/users/steve/file.txt ! which is correct > model_inst.save() #<<< in Django 3.2.1 this FAILS with Path issue ! Incorrect > model_inst.save() #<<< in Django Latest Git commit will create "MEDIA_ROOT/users/file.txt ! which is incorrect - missing path! > > # What we need to stop: > bad_file = ContentFile(malicious_script.read()) > bad_file.name = "/etc/init.d/nameofscript.sh" > # or > bad_file.name = "../../../../../usr/local/lib/bad.file" > model_inst.file = bad_file > > # On Save we need to protect here - imho > model_inst.save() # <<< This *should Fail* with Security Error > > }}} > > > > > > Absolute paths wouldn't be able to write shell scripts around the file system, because the path always starts with `MEDIA_ROOT`, and `../` and such are disallowed. Also, I'm not sure if we should be forced to override the `name` attribute of `File`, because overriding it breaks the `File.open` function from working properly. -- Ticket URL: <https://code.djangoproject.com/ticket/32718#comment:27> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.f2c9153172481dcc4b0f1b4efbbda1ba%40djangoproject.com.