Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files.

Thanks Claude Paroz for the initial patch. Thanks Dennis Brinkrolf for the report.
2025-10-24 06:06:09 +00:00 · 2021-03-16 10:19:00 +01:00
parent 78fea27f69
commit d4d800ca1a
9 changed files with 159 additions and 23 deletions
--- a/tests/file_uploads/views.py
+++ b/tests/file_uploads/views.py
@@ -9,6 +9,7 @@ from .models import FileModel
 from .tests import UNICODE_FILENAME, UPLOAD_TO
 from .uploadhandler import (
    ErroringUploadHandler, QuotaUploadHandler, StopUploadTemporaryFileHandler,
+    TraversalUploadHandler,
 )


@@ -162,3 +163,11 @@ def file_upload_fd_closing(request, access):
    if access == 't':
        request.FILES  # Trigger file parsing.
    return HttpResponse()
+
+
+def file_upload_traversal_view(request):
+    request.upload_handlers.insert(0, TraversalUploadHandler())
+    request.FILES  # Trigger file parsing.
+    return JsonResponse(
+        {'file_name': request.upload_handlers[0].file_name},
+    )