[4.2.x] Fixed CVE-2024-39330 -- Added extra file name validation in Storage's save method.

Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah Boyce for the reviews.
2025-10-24 06:06:09 +00:00 · 2024-03-20 13:55:21 -03:00
parent 156d3186c9
commit 2b00edc015
6 changed files with 100 additions and 13 deletions
--- a/tests/file_uploads/tests.py
+++ b/tests/file_uploads/tests.py
@@ -826,7 +826,7 @@ class DirectoryCreationTests(SimpleTestCase):
        default_storage.delete(UPLOAD_TO)
        # Create a file with the upload directory name
        with SimpleUploadedFile(UPLOAD_TO, b"x") as file:
-            default_storage.save(UPLOAD_TO, file)
+            default_storage.save(UPLOAD_FOLDER, file)
        self.addCleanup(default_storage.delete, UPLOAD_TO)
        msg = "%s exists and is not a directory." % UPLOAD_TO
        with self.assertRaisesMessage(FileExistsError, msg):