Re: [Django] #37081: loaddata fails when a directory in the fixture path contains a dot

[Django]

#37081: loaddata fails when a directory in the fixture path contains a dot
-------------------------------------+-------------------------------------
     Reporter:  Alisson Silveira     |                    Owner:  Alisson
                                     |  Silveira
         Type:  Bug                  |                   Status:  assigned
    Component:  Core (Management     |                  Version:  dev
  commands)                          |
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Comment (by Alisson Silveira):

 Replying to [comment:4 Sarah Boyce]:
 > Thank you! I think this is a bug worth addressing.
 > My only concern was whether this could create any path traversal issues
 allowing something like `fixtures/../secret.json` but I think this would
 be out of the scope of security issues anyway. See
 https://docs.djangoproject.com/en/6.0/internals/security/#how-does-django-
 evaluate-a-report

 Thanks for your feedback, Sarah! I can provide a bit more context for the
 record.

 I decided to use a PurePath object to prevent any filesystem access, since
 this method only needs to parse the filename. The filename is the only
 piece of information being extracted and modified from the filepath. In
 contrast, the current approach relies on rsplit() directly on the file
 path string, which could potentially introduce security issues if the path
 is manipulated. Using PurePath makes the intent clearer and provides safer
 path handling.

 Since this was a bug I encountered in a production system, my fix is
 specifically focused on addressing that issue. However, I’d be more than
 happy to address any additional fixes or improvements related to this area
 if needed. Please let me know if you’d like me to explore any further
 improvements here.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/37081#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019e2659f409-fde8ce93-5622-45ed-978b-09afdcad4c47-000000%40eu-central-1.amazonses.com.