Fixed #33062 -- Made MultiPartParser remove non-printable chars from file names.

This commit is contained in:
Hrushikesh Vaidya 2022-01-17 14:42:48 +05:30 committed by Mariusz Felisiak
parent 0f6946495a
commit 3fadf141e6
2 changed files with 25 additions and 0 deletions

View File

@ -320,6 +320,8 @@ class MultiPartParser:
file_name = html.unescape(file_name) file_name = html.unescape(file_name)
file_name = file_name.rsplit('/')[-1] file_name = file_name.rsplit('/')[-1]
file_name = file_name.rsplit('\\')[-1] file_name = file_name.rsplit('\\')[-1]
# Remove non-printable characters.
file_name = ''.join([char for char in file_name if char.isprintable()])
if file_name in {'', '.', '..'}: if file_name in {'', '.', '..'}:
return None return None

View File

@ -283,6 +283,29 @@ class FileUploadTests(TestCase):
for i, name in enumerate(filenames): for i, name in enumerate(filenames):
self.assertIsNone(received.get('file%s' % i)) self.assertIsNone(received.get('file%s' % i))
def test_non_printable_chars_in_file_names(self):
file_name = 'non-\x00printable\x00\n_chars.txt\x00'
payload = client.FakePayload()
payload.write('\r\n'.join([
'--' + client.BOUNDARY,
f'Content-Disposition: form-data; name="file"; filename="{file_name}"',
'Content-Type: application/octet-stream',
'',
'You got pwnd.\r\n'
]))
payload.write('\r\n--' + client.BOUNDARY + '--\r\n')
r = {
'CONTENT_LENGTH': len(payload),
'CONTENT_TYPE': client.MULTIPART_CONTENT,
'PATH_INFO': '/echo/',
'REQUEST_METHOD': 'POST',
'wsgi.input': payload,
}
response = self.client.request(**r)
# Non-printable chars are sanitized.
received = response.json()
self.assertEqual(received['file'], 'non-printable_chars.txt')
def test_dangerous_file_names(self): def test_dangerous_file_names(self):
"""Uploaded file names should be sanitized before ever reaching the view.""" """Uploaded file names should be sanitized before ever reaching the view."""
# This test simulates possible directory traversal attacks by a # This test simulates possible directory traversal attacks by a