Commit Graph

105 Commits

Author SHA1 Message Date
Florian Apolloner e1592e0f26 [4.0.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem.
Thanks to Dennis Brinkrolf for the report.
2022-01-04 10:10:14 +01:00
David Smith 1024b5e74a Fixed 32956 -- Lowercased spelling of "web" and "web framework" where appropriate. 2021-07-29 06:24:12 +02:00
Jacob Walls ec2727efef Fixed #28154 -- Prevented infinite loop in FileSystemStorage.save() when a broken symlink with the same name exists. 2021-06-02 12:20:22 +02:00
Mariusz Felisiak b55699968f
Fixed #32718 -- Relaxed file name validation in FileField.
- Validate filename returned by FileField.upload_to() not a filename
  passed to the FileField.generate_filename() (upload_to() may
  completely ignored passed filename).
- Allow relative paths (without dot segments) in the generated filename.

Thanks to Jakub Kleň for the report and review.
Thanks to all folks for checking this patch on existing projects.
Thanks Florian Apolloner and Markus Holtermann for the discussion and
implementation idea.

Regression in 0b79eb3691.
2021-05-13 08:53:44 +02:00
Carlton Gibson a708f39ce6 Refs CVE-2021-31542 -- Skipped mock AWS storage test on Windows.
The validate_file_name() sanitation introduced in
0b79eb3691 correctly rejects the example
file name as containing path elements on Windows. This breaks the test
introduced in 914c72be2a to allow path
components for storages that may allow them.

Test is skipped pending a discussed storage refactoring to support this
use-case.
2021-05-06 07:04:52 +02:00
Florian Apolloner 0b79eb3691 Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-05-04 08:44:42 +02:00
Daniyal 474cc420bf Refs #32508 -- Raised Type/ValueError instead of using "assert" in django.core. 2021-03-19 08:04:37 +01:00
Brian Helba 2d42e23b6d Fixed #31941 -- Corrected FileField.deconstruct() with a callable storage. 2020-09-02 11:06:18 +02:00
Mariusz Felisiak 8d7271578d Fixed CVE-2020-24583, #31921 -- Fixed permissions on intermediate-level static and storage directories on Python 3.7+.
Thanks WhiteSage for the report.
2020-09-01 09:17:23 +02:00
Carlton Gibson 94b32a20ef Refs #28184 -- Added test for FileField storage default.
Co-authored-by: miigotu <miigotu@gmail.com>
2020-04-08 11:26:17 +02:00
miigotu 210657b791 Fixed #28184 -- Allowed using a callable for FileField and ImageField storage. 2020-04-08 11:26:17 +02:00
Jon Dufresne 39791c8e6d Harmonized Windows checks in tests to a single style. 2019-11-06 15:14:30 +01:00
Hasan Ramezani 17752003a8 Refs #28428 -- Made FileSystemStorage.save() to support pathlib.Path. 2019-10-31 09:06:05 +01:00
Hasan Ramezani 0f2975534d Refs #28428 -- Added tests for using FileSystemStorage with pathlib.Path. 2019-10-31 08:52:15 +01:00
Oleg Kainov c574bec092 Fixed #25598 -- Added SCRIPT_NAME prefix to STATIC_URL and MEDIA_URL set to relative paths.
Thanks Florian Apolloner for reviews.

Co-authored-by: Joel Dunham <Joel.Dunham@technicalsafetybc.ca>
2019-09-25 19:47:03 +02:00
Claude Paroz d1c2e6dd04 Refs #28428 -- Made FileField.upload_to support pathlib.Path. 2019-08-18 20:34:58 +02:00
Claude Paroz af69842dbd Refs #28428 -- Added test for a callable FileField.upload_to that returns pathlib.Path. 2019-08-18 20:34:54 +02:00
Min ho Kim 65e86948b8 Corrected several typos in string literals and test names. 2019-08-07 11:23:14 +02:00
Jon Dufresne 290d8471bb Fixed #30147 -- Simplified directory creation with os.makedirs(..., exist_ok=True). 2019-01-31 12:53:36 -05:00
Jon Dufresne 7785e03ba8 Fixed #30137 -- Replaced OSError aliases with the canonical OSError.
Used more specific errors (e.g. FileExistsError) as appropriate.
2019-01-28 11:15:06 -05:00
Tim Graham 043bd70942 Updated test URL patterns to use path() and re_path(). 2018-12-31 10:47:32 -05:00
Tim Graham 98ef3829e9 Fixed #29890 -- Fixed FileSystemStorage crash if concurrent saves try to create the same directory.
Regression in 632c4ffd9c.
2018-10-31 19:28:11 -04:00
Jon Dufresne e90af8bad4 Capitalized "Python" in docs and comments. 2018-10-09 09:26:07 -04:00
Sergey Fedoseev 8ef8bc0f64 Refs #28909 -- Simplifed code using unpacking generalizations. 2018-09-28 09:57:12 -04:00
Jon Dufresne e7d7d47b93 Fixed ResourceWarning from unclosed test files.
When running Django tests with Python warnings enabled.
2018-07-10 12:26:19 +02:00
Jon Prindiville b4cba4ed62 Fixed #28144 -- Added FileSystemStorage.OS_OPEN_FLAGS to allow customization. 2018-06-29 15:51:59 -04:00
Claude Paroz 8e960c5aba Removed urllib2 reference in file storage tests 2018-04-27 14:02:39 +02:00
Jon Dufresne 2c69824e5a Refs #23968 -- Removed unnecessary lists, generators, and tuple calls. 2017-06-01 19:08:59 -04:00
Rajesh Veeranki 67e1afb4a8 Fixed #28224 -- Tested for SuspiciousOperation subclasses in Django's tests. 2017-05-25 08:19:01 -04:00
Vytis Banaitis 9cbf48693d Refs #27836 -- Fixed cleanup exception in file_storage test.
TemporaryDirectory tries to delete the directory that was already removed.
2017-03-01 12:52:28 -05:00
chillaranand e4025563ea Fixed #27836 -- Allowed FileSystemStorage.delete() to remove directories. 2017-02-24 16:02:33 -05:00
Tim Graham 29f607927f Fixed spelling of "nonexistent". 2017-02-03 08:01:45 -05:00
chillaranand d6eaf7c018 Refs #23919 -- Replaced super(ClassName, self) with super(). 2017-01-25 12:23:46 -05:00
Tim Graham 632c4ffd9c Refs #23919 -- Replaced errno checking with PEP 3151 exceptions. 2017-01-25 10:13:08 -05:00
Tim Graham 4e729feaa6 Refs #23919 -- Removed django.utils._os.upath()/npath()/abspathu() usage.
These functions do nothing on Python 3.
2017-01-20 08:01:02 -05:00
Tim Graham 109b33f64c Refs #23919 -- Simplified assertRaisesRegex()'s that accounted for Python 2. 2017-01-20 08:49:47 +01:00
Claude Paroz 2b281cc35e Refs #23919 -- Removed most of remaining six usage
Thanks Tim Graham for the review.
2017-01-18 21:33:28 +01:00
Claude Paroz d7b9aaa366 Refs #23919 -- Removed encoding preambles and future imports 2017-01-18 09:55:19 +01:00
Tim Graham 0dfc5479a8 Refs #26058 -- Removed deprecated FileField.get_directory_name()/get_filename(). 2017-01-17 20:52:04 -05:00
Tim Graham 2d7fb77987 Refs #23832 -- Removed deprecated non-timezone aware Storage API. 2017-01-17 20:52:03 -05:00
Tim Graham b5f0b3478d Fixed #27579 -- Added aliases for Python 3's assertion names in SimpleTestCase. 2016-12-07 17:42:31 -05:00
za 321e94fa41 Refs #27392 -- Removed "Tests that", "Ensures that", etc. from test docstrings. 2016-11-10 21:30:21 -05:00
Tim Graham 414ad25b09 Fixed #27327 -- Simplified time zone handling by requiring pytz. 2016-10-27 08:53:20 -04:00
Chris Sinchok ac1975b18b Fixed #13809 -- Made FieldFile.open() respect its mode argument. 2016-08-09 12:53:18 -04:00
Tomas Pazderka b820b6108a Fixed #26896 -- Allowed a lazy base_url for FileSystemStorage. 2016-07-29 14:13:54 -04:00
Paul J Stevens b45852c263 Refs #26772 -- Added a test for FileField reopening closed files.
Thanks Simon Charette for review.
2016-06-18 11:06:56 -04:00
Tim Graham cd217de610 Reverted "Fixed #26644 -- Allowed wrapping NamedTemporaryFile with File."
This reverts commit 1b407050dd as it
introduces a regression in the test for refs #26772.
2016-06-18 11:06:56 -04:00
Tim Graham 7def55c3f6 Reverted "Fixed #26398 -- Made FieldFile.open() respect its mode argument."
This reverts commit a52a531a8b due to
regressions described in refs #26772.
2016-06-17 21:04:02 -04:00
Hugo Osvaldo Barrera 1b407050dd Fixed #26644 -- Allowed wrapping NamedTemporaryFile with File.
914c72be2a introduced a regression that
causes saving a NamedTemporaryFile in a FileField to raise a
SuspiciousFileOperation. To remedy this, if a File has an absolute
path as a filename, use only the basename as the filename.
2016-06-14 09:28:08 -04:00
Simon Charette 271581df60 Refs #26712 -- Removed workarounds for PostgreSQL queries on TIME_ZONE changes. 2016-06-06 11:26:21 -04:00