From 3fadf141e66c8d0baaa66574fa3b63c4d3655482 Mon Sep 17 00:00:00 2001
From: Hrushikesh Vaidya <hrushikeshrv@gmail.com>
Date: Mon, 17 Jan 2022 14:42:48 +0530
Subject: [PATCH] Fixed #33062 -- Made MultiPartParser remove non-printable
 chars from file names.

---
 django/http/multipartparser.py |  2 ++
 tests/file_uploads/tests.py    | 23 +++++++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py
index ddf7cfa2f65..c3cb90e6393 100644
--- a/django/http/multipartparser.py
+++ b/django/http/multipartparser.py
@@ -320,6 +320,8 @@ class MultiPartParser:
         file_name = html.unescape(file_name)
         file_name = file_name.rsplit('/')[-1]
         file_name = file_name.rsplit('\\')[-1]
+        # Remove non-printable characters.
+        file_name = ''.join([char for char in file_name if char.isprintable()])
 
         if file_name in {'', '.', '..'}:
             return None
diff --git a/tests/file_uploads/tests.py b/tests/file_uploads/tests.py
index 145d714a76c..1e20b48d259 100644
--- a/tests/file_uploads/tests.py
+++ b/tests/file_uploads/tests.py
@@ -283,6 +283,29 @@ class FileUploadTests(TestCase):
         for i, name in enumerate(filenames):
             self.assertIsNone(received.get('file%s' % i))
 
+    def test_non_printable_chars_in_file_names(self):
+        file_name = 'non-\x00printable\x00\n_chars.txt\x00'
+        payload = client.FakePayload()
+        payload.write('\r\n'.join([
+            '--' + client.BOUNDARY,
+            f'Content-Disposition: form-data; name="file"; filename="{file_name}"',
+            'Content-Type: application/octet-stream',
+            '',
+            'You got pwnd.\r\n'
+        ]))
+        payload.write('\r\n--' + client.BOUNDARY + '--\r\n')
+        r = {
+            'CONTENT_LENGTH': len(payload),
+            'CONTENT_TYPE': client.MULTIPART_CONTENT,
+            'PATH_INFO': '/echo/',
+            'REQUEST_METHOD': 'POST',
+            'wsgi.input': payload,
+        }
+        response = self.client.request(**r)
+        # Non-printable chars are sanitized.
+        received = response.json()
+        self.assertEqual(received['file'], 'non-printable_chars.txt')
+
     def test_dangerous_file_names(self):
         """Uploaded file names should be sanitized before ever reaching the view."""
         # This test simulates possible directory traversal attacks by a