mirror of
				https://github.com/django/django.git
				synced 2025-10-25 06:36:07 +00:00 
			
		
		
		
	Fixed #23157 -- Removed O(n) algorithm when uploading duplicate file names.
This is a security fix. Disclosure following shortly.
This commit is contained in:
		| @@ -1,12 +1,12 @@ | |||||||
| import os | import os | ||||||
| import errno | import errno | ||||||
| import itertools |  | ||||||
| from datetime import datetime | from datetime import datetime | ||||||
|  |  | ||||||
| from django.conf import settings | from django.conf import settings | ||||||
| from django.core.exceptions import SuspiciousFileOperation | from django.core.exceptions import SuspiciousFileOperation | ||||||
| from django.core.files import locks, File | from django.core.files import locks, File | ||||||
| from django.core.files.move import file_move_safe | from django.core.files.move import file_move_safe | ||||||
|  | from django.utils.crypto import get_random_string | ||||||
| from django.utils.encoding import force_text, filepath_to_uri | from django.utils.encoding import force_text, filepath_to_uri | ||||||
| from django.utils.functional import LazyObject | from django.utils.functional import LazyObject | ||||||
| from django.utils.module_loading import import_string | from django.utils.module_loading import import_string | ||||||
| @@ -69,13 +69,12 @@ class Storage(object): | |||||||
|         """ |         """ | ||||||
|         dir_name, file_name = os.path.split(name) |         dir_name, file_name = os.path.split(name) | ||||||
|         file_root, file_ext = os.path.splitext(file_name) |         file_root, file_ext = os.path.splitext(file_name) | ||||||
|         # If the filename already exists, add an underscore and a number (before |         # If the filename already exists, add an underscore and a random 7 | ||||||
|         # the file extension, if one exists) to the filename until the generated |         # character alphanumeric string (before the file extension, if one | ||||||
|         # filename doesn't exist. |         # exists) to the filename until the generated filename doesn't exist. | ||||||
|         count = itertools.count(1) |  | ||||||
|         while self.exists(name): |         while self.exists(name): | ||||||
|             # file_ext includes the dot. |             # file_ext includes the dot. | ||||||
|             name = os.path.join(dir_name, "%s_%s%s" % (file_root, next(count), file_ext)) |             name = os.path.join(dir_name, "%s_%s%s" % (file_root, get_random_string(7), file_ext)) | ||||||
|  |  | ||||||
|         return name |         return name | ||||||
|  |  | ||||||
|   | |||||||
| @@ -90,5 +90,14 @@ the provided filename into account. The ``name`` argument passed to this method | |||||||
| will have already cleaned to a filename valid for the storage system, according | will have already cleaned to a filename valid for the storage system, according | ||||||
| to the ``get_valid_name()`` method described above. | to the ``get_valid_name()`` method described above. | ||||||
|  |  | ||||||
| The code provided on ``Storage`` simply appends ``"_1"``, ``"_2"``, etc. to the | .. versionchanged:: 1.7 | ||||||
| filename until it finds one that's available in the destination directory. |  | ||||||
|  |     If a file with ``name`` already exists, an underscore plus a random 7 | ||||||
|  |     character alphanumeric string is appended to the filename before the | ||||||
|  |     extension. | ||||||
|  |  | ||||||
|  |     Previously, an underscore followed by a number (e.g. ``"_1"``, ``"_2"``, | ||||||
|  |     etc.) was appended to the filename until an avaible name in the destination | ||||||
|  |     directory was found. A malicious user could exploit this deterministic | ||||||
|  |     algorithm to create a denial-of-service attack. This change was also made | ||||||
|  |     in Django 1.6.6, 1.5.9, and 1.4.14. | ||||||
|   | |||||||
| @@ -112,6 +112,18 @@ The Storage Class | |||||||
|         available for new content to be written to on the target storage |         available for new content to be written to on the target storage | ||||||
|         system. |         system. | ||||||
|  |  | ||||||
|  |         .. versionchanged:: 1.7 | ||||||
|  |  | ||||||
|  |         If a file with ``name`` already exists, an underscore plus a random 7 | ||||||
|  |         character alphanumeric string is appended to the filename before the | ||||||
|  |         extension. | ||||||
|  |  | ||||||
|  |         Previously, an underscore followed by a number (e.g. ``"_1"``, ``"_2"``, | ||||||
|  |         etc.) was appended to the filename until an avaible name in the | ||||||
|  |         destination directory was found. A malicious user could exploit this | ||||||
|  |         deterministic algorithm to create a denial-of-service attack. This | ||||||
|  |         change was also made in Django 1.6.6, 1.5.9, and 1.4.14. | ||||||
|  |  | ||||||
|     .. method:: get_valid_name(name) |     .. method:: get_valid_name(name) | ||||||
|  |  | ||||||
|         Returns a filename based on the ``name`` parameter that's suitable |         Returns a filename based on the ``name`` parameter that's suitable | ||||||
|   | |||||||
| @@ -18,3 +18,23 @@ To remedy this, URL reversing now ensures that no URL starts with two slashes | |||||||
| (//), replacing the second slash with its URL encoded counterpart (%2F). This | (//), replacing the second slash with its URL encoded counterpart (%2F). This | ||||||
| approach ensures that semantics stay the same, while making the URL relative to | approach ensures that semantics stay the same, while making the URL relative to | ||||||
| the domain and not to the scheme. | the domain and not to the scheme. | ||||||
|  |  | ||||||
|  | File upload denial-of-service | ||||||
|  | ============================= | ||||||
|  |  | ||||||
|  | Before this release, Django's file upload handing in its default configuration | ||||||
|  | may degrade to producing a huge number of ``os.stat()`` system calls when a | ||||||
|  | duplicate filename is uploaded. Since ``stat()`` may invoke IO, this may produce | ||||||
|  | a huge data-dependent slowdown that slowly worsens over time. The net result is | ||||||
|  | that given enough time, a user with the ability to upload files can cause poor | ||||||
|  | performance in the upload handler, eventually causing it to become very slow | ||||||
|  | simply by uploading 0-byte files. At this point, even a slow network connection | ||||||
|  | and few HTTP requests would be all that is necessary to make a site unavailable. | ||||||
|  |  | ||||||
|  | We've remedied the issue by changing the algorithm for generating file names | ||||||
|  | if a file with the uploaded name already exists. | ||||||
|  | :meth:`Storage.get_available_name() | ||||||
|  | <django.core.files.storage.Storage.get_available_name>` now appends an | ||||||
|  | underscore plus a random 7 character alphanumeric string (e.g. ``"_x3a1gho"``), | ||||||
|  | rather than iterating through an underscore followed by a number (e.g. ``"_1"``, | ||||||
|  | ``"_2"``, etc.). | ||||||
|   | |||||||
| @@ -18,3 +18,23 @@ To remedy this, URL reversing now ensures that no URL starts with two slashes | |||||||
| (//), replacing the second slash with its URL encoded counterpart (%2F). This | (//), replacing the second slash with its URL encoded counterpart (%2F). This | ||||||
| approach ensures that semantics stay the same, while making the URL relative to | approach ensures that semantics stay the same, while making the URL relative to | ||||||
| the domain and not to the scheme. | the domain and not to the scheme. | ||||||
|  |  | ||||||
|  | File upload denial-of-service | ||||||
|  | ============================= | ||||||
|  |  | ||||||
|  | Before this release, Django's file upload handing in its default configuration | ||||||
|  | may degrade to producing a huge number of ``os.stat()`` system calls when a | ||||||
|  | duplicate filename is uploaded. Since ``stat()`` may invoke IO, this may produce | ||||||
|  | a huge data-dependent slowdown that slowly worsens over time. The net result is | ||||||
|  | that given enough time, a user with the ability to upload files can cause poor | ||||||
|  | performance in the upload handler, eventually causing it to become very slow | ||||||
|  | simply by uploading 0-byte files. At this point, even a slow network connection | ||||||
|  | and few HTTP requests would be all that is necessary to make a site unavailable. | ||||||
|  |  | ||||||
|  | We've remedied the issue by changing the algorithm for generating file names | ||||||
|  | if a file with the uploaded name already exists. | ||||||
|  | :meth:`Storage.get_available_name() | ||||||
|  | <django.core.files.storage.Storage.get_available_name>` now appends an | ||||||
|  | underscore plus a random 7 character alphanumeric string (e.g. ``"_x3a1gho"``), | ||||||
|  | rather than iterating through an underscore followed by a number (e.g. ``"_1"``, | ||||||
|  | ``"_2"``, etc.). | ||||||
|   | |||||||
| @@ -19,6 +19,26 @@ To remedy this, URL reversing now ensures that no URL starts with two slashes | |||||||
| approach ensures that semantics stay the same, while making the URL relative to | approach ensures that semantics stay the same, while making the URL relative to | ||||||
| the domain and not to the scheme. | the domain and not to the scheme. | ||||||
|  |  | ||||||
|  | File upload denial-of-service | ||||||
|  | ============================= | ||||||
|  |  | ||||||
|  | Before this release, Django's file upload handing in its default configuration | ||||||
|  | may degrade to producing a huge number of ``os.stat()`` system calls when a | ||||||
|  | duplicate filename is uploaded. Since ``stat()`` may invoke IO, this may produce | ||||||
|  | a huge data-dependent slowdown that slowly worsens over time. The net result is | ||||||
|  | that given enough time, a user with the ability to upload files can cause poor | ||||||
|  | performance in the upload handler, eventually causing it to become very slow | ||||||
|  | simply by uploading 0-byte files. At this point, even a slow network connection | ||||||
|  | and few HTTP requests would be all that is necessary to make a site unavailable. | ||||||
|  |  | ||||||
|  | We've remedied the issue by changing the algorithm for generating file names | ||||||
|  | if a file with the uploaded name already exists. | ||||||
|  | :meth:`Storage.get_available_name() | ||||||
|  | <django.core.files.storage.Storage.get_available_name>` now appends an | ||||||
|  | underscore plus a random 7 character alphanumeric string (e.g. ``"_x3a1gho"``), | ||||||
|  | rather than iterating through an underscore followed by a number (e.g. ``"_1"``, | ||||||
|  | ``"_2"``, etc.). | ||||||
|  |  | ||||||
| Bugfixes | Bugfixes | ||||||
| ======== | ======== | ||||||
|  |  | ||||||
|   | |||||||
| @@ -588,6 +588,13 @@ File Uploads | |||||||
|   the client. Partially uploaded files are also closed as long as they are |   the client. Partially uploaded files are also closed as long as they are | ||||||
|   named ``file`` in the upload handler. |   named ``file`` in the upload handler. | ||||||
|  |  | ||||||
|  | * :meth:`Storage.get_available_name() | ||||||
|  |   <django.core.files.storage.Storage.get_available_name>` now appends an | ||||||
|  |   underscore plus a random 7 character alphanumeric string (e.g. | ||||||
|  |   ``"_x3a1gho"``), rather than iterating through an underscore followed by a | ||||||
|  |   number (e.g. ``"_1"``, ``"_2"``, etc.) to prevent a denial-of-service attack. | ||||||
|  |   This change was also made in the 1.6.6, 1.5.9, and 1.4.14 security releases. | ||||||
|  |  | ||||||
| Forms | Forms | ||||||
| ^^^^^ | ^^^^^ | ||||||
|  |  | ||||||
|   | |||||||
| @@ -30,6 +30,9 @@ from django.utils._os import upath | |||||||
| from .models import Storage, temp_storage, temp_storage_location | from .models import Storage, temp_storage, temp_storage_location | ||||||
|  |  | ||||||
|  |  | ||||||
|  | FILE_SUFFIX_REGEX = '[A-Za-z0-9]{7}' | ||||||
|  |  | ||||||
|  |  | ||||||
| class GetStorageClassTests(SimpleTestCase): | class GetStorageClassTests(SimpleTestCase): | ||||||
|  |  | ||||||
|     def test_get_filesystem_storage(self): |     def test_get_filesystem_storage(self): | ||||||
| @@ -465,14 +468,16 @@ class FileFieldStorageTests(unittest.TestCase): | |||||||
|         # Save another file with the same name. |         # Save another file with the same name. | ||||||
|         obj2 = Storage() |         obj2 = Storage() | ||||||
|         obj2.normal.save("django_test.txt", ContentFile("more content")) |         obj2.normal.save("django_test.txt", ContentFile("more content")) | ||||||
|         self.assertEqual(obj2.normal.name, "tests/django_test_1.txt") |         obj2_name = obj2.normal.name | ||||||
|  |         six.assertRegex(self, obj2_name, "tests/django_test_%s.txt" % FILE_SUFFIX_REGEX) | ||||||
|         self.assertEqual(obj2.normal.size, 12) |         self.assertEqual(obj2.normal.size, 12) | ||||||
|         obj2.normal.close() |         obj2.normal.close() | ||||||
|  |  | ||||||
|         # Deleting an object does not delete the file it uses. |         # Deleting an object does not delete the file it uses. | ||||||
|         obj2.delete() |         obj2.delete() | ||||||
|         obj2.normal.save("django_test.txt", ContentFile("more content")) |         obj2.normal.save("django_test.txt", ContentFile("more content")) | ||||||
|         self.assertEqual(obj2.normal.name, "tests/django_test_2.txt") |         self.assertNotEqual(obj2_name, obj2.normal.name) | ||||||
|  |         six.assertRegex(self, obj2.normal.name, "tests/django_test_%s.txt" % FILE_SUFFIX_REGEX) | ||||||
|         obj2.normal.close() |         obj2.normal.close() | ||||||
|  |  | ||||||
|     def test_filefield_read(self): |     def test_filefield_read(self): | ||||||
| @@ -485,17 +490,18 @@ class FileFieldStorageTests(unittest.TestCase): | |||||||
|         self.assertEqual(list(obj.normal.chunks(chunk_size=2)), [b"co", b"nt", b"en", b"t"]) |         self.assertEqual(list(obj.normal.chunks(chunk_size=2)), [b"co", b"nt", b"en", b"t"]) | ||||||
|         obj.normal.close() |         obj.normal.close() | ||||||
|  |  | ||||||
|     def test_file_numbering(self): |     def test_duplicate_filename(self): | ||||||
|         # Multiple files with the same name get _N appended to them. |         # Multiple files with the same name get _(7 random chars) appended to them. | ||||||
|         objs = [Storage() for i in range(3)] |         objs = [Storage() for i in range(2)] | ||||||
|         for o in objs: |         for o in objs: | ||||||
|             o.normal.save("multiple_files.txt", ContentFile("Same Content")) |             o.normal.save("multiple_files.txt", ContentFile("Same Content")) | ||||||
|         self.assertEqual( |         try: | ||||||
|             [o.normal.name for o in objs], |             names = [o.normal.name for o in objs] | ||||||
|             ["tests/multiple_files.txt", "tests/multiple_files_1.txt", "tests/multiple_files_2.txt"] |             self.assertEqual(names[0], "tests/multiple_files.txt") | ||||||
|         ) |             six.assertRegex(self, names[1], "tests/multiple_files_%s.txt" % FILE_SUFFIX_REGEX) | ||||||
|         for o in objs: |         finally: | ||||||
|             o.delete() |             for o in objs: | ||||||
|  |                 o.delete() | ||||||
|  |  | ||||||
|     def test_filefield_default(self): |     def test_filefield_default(self): | ||||||
|         # Default values allow an object to access a single file. |         # Default values allow an object to access a single file. | ||||||
| @@ -587,10 +593,9 @@ class FileSaveRaceConditionTest(unittest.TestCase): | |||||||
|         self.thread.start() |         self.thread.start() | ||||||
|         self.save_file('conflict') |         self.save_file('conflict') | ||||||
|         self.thread.join() |         self.thread.join() | ||||||
|         self.assertTrue(self.storage.exists('conflict')) |         files = sorted(os.listdir(self.storage_dir)) | ||||||
|         self.assertTrue(self.storage.exists('conflict_1')) |         self.assertEqual(files[0], 'conflict') | ||||||
|         self.storage.delete('conflict') |         six.assertRegex(self, files[1], 'conflict_%s' % FILE_SUFFIX_REGEX) | ||||||
|         self.storage.delete('conflict_1') |  | ||||||
|  |  | ||||||
|  |  | ||||||
| @unittest.skipIf(sys.platform.startswith('win'), "Windows only partially supports umasks and chmod.") | @unittest.skipIf(sys.platform.startswith('win'), "Windows only partially supports umasks and chmod.") | ||||||
| @@ -651,9 +656,10 @@ class FileStoragePathParsing(unittest.TestCase): | |||||||
|         self.storage.save('dotted.path/test', ContentFile("1")) |         self.storage.save('dotted.path/test', ContentFile("1")) | ||||||
|         self.storage.save('dotted.path/test', ContentFile("2")) |         self.storage.save('dotted.path/test', ContentFile("2")) | ||||||
|  |  | ||||||
|  |         files = sorted(os.listdir(os.path.join(self.storage_dir, 'dotted.path'))) | ||||||
|         self.assertFalse(os.path.exists(os.path.join(self.storage_dir, 'dotted_.path'))) |         self.assertFalse(os.path.exists(os.path.join(self.storage_dir, 'dotted_.path'))) | ||||||
|         self.assertTrue(os.path.exists(os.path.join(self.storage_dir, 'dotted.path/test'))) |         self.assertEqual(files[0], 'test') | ||||||
|         self.assertTrue(os.path.exists(os.path.join(self.storage_dir, 'dotted.path/test_1'))) |         six.assertRegex(self, files[1], 'test_%s' % FILE_SUFFIX_REGEX) | ||||||
|  |  | ||||||
|     def test_first_character_dot(self): |     def test_first_character_dot(self): | ||||||
|         """ |         """ | ||||||
| @@ -663,8 +669,10 @@ class FileStoragePathParsing(unittest.TestCase): | |||||||
|         self.storage.save('dotted.path/.test', ContentFile("1")) |         self.storage.save('dotted.path/.test', ContentFile("1")) | ||||||
|         self.storage.save('dotted.path/.test', ContentFile("2")) |         self.storage.save('dotted.path/.test', ContentFile("2")) | ||||||
|  |  | ||||||
|         self.assertTrue(os.path.exists(os.path.join(self.storage_dir, 'dotted.path/.test'))) |         files = sorted(os.listdir(os.path.join(self.storage_dir, 'dotted.path'))) | ||||||
|         self.assertTrue(os.path.exists(os.path.join(self.storage_dir, 'dotted.path/.test_1'))) |         self.assertFalse(os.path.exists(os.path.join(self.storage_dir, 'dotted_.path'))) | ||||||
|  |         self.assertEqual(files[0], '.test') | ||||||
|  |         six.assertRegex(self, files[1], '.test_%s' % FILE_SUFFIX_REGEX) | ||||||
|  |  | ||||||
|  |  | ||||||
| class ContentFileStorageTestCase(unittest.TestCase): | class ContentFileStorageTestCase(unittest.TestCase): | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user