Re: [Django] #35817: Regression in default_storage.save(path, source)

Mon, 07 Oct 2024 05:39:18 -0700 

#35817: Regression in default_storage.save(path, source)
-------------------------------------+-------------------------------------
     Reporter:  Caram                |                    Owner:  (none)
         Type:  Bug                  |                   Status:  closed
    Component:  File                 |                  Version:  5.1
  uploads/storage                    |
     Severity:  Normal               |               Resolution:  wontfix
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Natalia Bidart):

 * resolution:   => wontfix
 * severity:  Release blocker => Normal
 * status:  new => closed

Comment:

 Hello Caram,

 As you have correctly found, this was indeed a security fix applied to all
 supported Django versions. The description of the issue was posted in
 https://www.djangoproject.com/weblog/2024/jul/09/security-releases/. This
 fix provides enhanced security and avoid potential path traversals in file
 storages.

 We will not revert the security fix for the reasons stated in the post.
 What you could do is to use relative paths in the `save` call and make
 those paths absolute inside the `_save` method, just like the provided
 `FileSystemStorage` do (see the
 
[https://github.com/django/django/blob/main/django/core/files/storage/filesystem.py#L83
 full_path call]). Another example of a well known storage doing this
 (mapping between absolute and relative paths, see
 [https://github.com/jschneier/django-
 storages/blob/master/storages/backends/dropbox.py#L119 _full_path]) is the
 `DropboxStorage` in `django-storages`.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/35817#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107019266fda178-610897e4-8546-496f-a403-eb1b0bd1123f-000000%40eu-central-1.amazonses.com.

Reply via email to