[3.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem.

Thanks to Dennis Brinkrolf for the report.
This commit is contained in:
Florian Apolloner 2021-12-17 21:07:50 +01:00 committed by Carlton Gibson
parent c7fe895bca
commit 8d2f7cff76
5 changed files with 45 additions and 7 deletions

View File

@ -51,7 +51,10 @@ class Storage:
content = File(content, name)
name = self.get_available_name(name, max_length=max_length)
return self._save(name, content)
name = self._save(name, content)
# Ensure that the name returned from the storage system is still valid.
validate_file_name(name, allow_relative_path=True)
return name
# These methods are part of the public API, with default implementations.
@ -75,6 +78,7 @@ class Storage:
Return a filename that's free on the target storage system and
available for new content to be written to.
"""
name = str(name).replace('\\', '/')
dir_name, file_name = os.path.split(name)
if '..' in pathlib.PurePath(dir_name).parts:
raise SuspiciousFileOperation("Detected path traversal attempt in '%s'" % dir_name)
@ -108,6 +112,7 @@ class Storage:
Validate the filename by calling get_valid_name() and return a filename
to be passed to the save() method.
"""
filename = str(filename).replace('\\', '/')
# `filename` may include a path as returned by FileField.upload_to.
dirname, filename = os.path.split(filename)
if '..' in pathlib.PurePath(dirname).parts:
@ -297,6 +302,8 @@ class FileSystemStorage(Storage):
if self.file_permissions_mode is not None:
os.chmod(full_path, self.file_permissions_mode)
# Ensure the saved path is always relative to the storage root.
name = os.path.relpath(full_path, self.location)
# Store filenames with forward slashes, even on Windows.
return str(name).replace('\\', '/')

View File

@ -36,3 +36,12 @@ As a reminder, all untrusted user input should be validated before use.
This issue has severity "low" according to the :ref:`Django security policy
<security-disclosure>`.
CVE-2021-45452: Potential directory-traversal via ``Storage.save()``
====================================================================
``Storage.save()`` allowed directory-traversal if directly passed suitably
crafted file names.
This issue has severity "low" according to the :ref:`Django security policy
<security-disclosure>`.

View File

@ -36,3 +36,12 @@ As a reminder, all untrusted user input should be validated before use.
This issue has severity "low" according to the :ref:`Django security policy
<security-disclosure>`.
CVE-2021-45452: Potential directory-traversal via ``Storage.save()``
====================================================================
``Storage.save()`` allowed directory-traversal if directly passed suitably
crafted file names.
This issue has severity "low" according to the :ref:`Django security policy
<security-disclosure>`.

View File

@ -53,9 +53,16 @@ class GenerateFilenameStorageTests(SimpleTestCase):
s.generate_filename(file_name)
def test_storage_dangerous_paths_dir_name(self):
file_name = '/tmp/../path'
candidates = [
('tmp/../path', 'tmp/..'),
('tmp\\..\\path', 'tmp/..'),
('/tmp/../path', '/tmp/..'),
('\\tmp\\..\\path', '/tmp/..'),
]
s = FileSystemStorage()
msg = "Detected path traversal attempt in '/tmp/..'"
for file_name, path in candidates:
msg = "Detected path traversal attempt in '%s'" % path
with self.subTest(file_name=file_name):
with self.assertRaisesMessage(SuspiciousFileOperation, msg):
s.get_available_name(file_name)
with self.assertRaisesMessage(SuspiciousFileOperation, msg):

View File

@ -297,6 +297,12 @@ class FileStorageTests(SimpleTestCase):
self.storage.delete('path/to/test.file')
def test_file_save_abs_path(self):
test_name = 'path/to/test.file'
f = ContentFile('file saved with path')
f_name = self.storage.save(os.path.join(self.temp_dir, test_name), f)
self.assertEqual(f_name, test_name)
def test_save_doesnt_close(self):
with TemporaryUploadedFile('test', 'text/plain', 1, 'utf8') as file:
file.write(b'1')