mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-07-14 06:39:24 +00:00
Code Issues 32 Releases Wiki Activity
27,062 Commits 29 Branches 451 Tags
Commit Graph

91 Commits

Author SHA1 Message Date
Florian Apolloner
4cb35b384c [2.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem. 
Thanks to Dennis Brinkrolf for the report.
 2022-01-04 10:20:31 +01:00
Mariusz Felisiak
63f0d7a0f6 [2.2.x] Refs #32718 -- Fixed file_storage.test_generate_filename and model_fields.test_filefield tests on Python 3.5. 2021-05-14 06:59:11 +02:00
Mariusz Felisiak
b8ecb06436 [2.2.x] Fixed #32718 -- Relaxed file name validation in FileField. 
- Validate filename returned by FileField.upload_to() not a filename
  passed to the FileField.generate_filename() (upload_to() may
  completely ignored passed filename).
- Allow relative paths (without dot segments) in the generated filename.

Thanks to Jakub Kleň for the report and review.
Thanks to all folks for checking this patch on existing projects.
Thanks Florian Apolloner and Markus Holtermann for the discussion and
implementation idea.

Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3.

Backport of b55699968fc9ee985384c64e37f6cc74a0a23683 from main.
 2021-05-13 09:00:25 +02:00
Carlton Gibson
163700388c [2.2.x] Refs CVE-2021-31542 -- Skipped mock AWS storage test on Windows. 
The validate_file_name() sanitation introduced in
0b79eb36915d178aef5c6a7bbce71b1e76d376d3 correctly rejects the example
file name as containing path elements on Windows. This breaks the test
introduced in 914c72be2abb1c6dd860cb9279beaa66409ae1b2 to allow path
components for storages that may allow them.

Test is skipped pending a discussed storage refactoring to support this
use-case.

Backport of a708f39ce67af174df90c5b5e50ad1976cec7cb8 from main
 2021-05-06 07:44:15 +02:00
Florian Apolloner
04ac1624bd [2.2.x] Fixed CVE-2021-31542 -- Tightened path & file name sanitation in file uploads. 2021-04-27 19:10:08 +02:00
Mariusz Felisiak
375657a71c [2.2.x] Fixed CVE-2020-24583, #31921 -- Fixed permissions on intermediate-level static and storage directories on Python 3.7+. 
Thanks WhiteSage for the report.

Backport of ea0febbba531a3ecc8c77b570efbfb68ca7155db from master.
 2020-08-25 10:59:42 +02:00
Tim Graham
043bd70942 Updated test URL patterns to use path() and re_path(). 2018-12-31 10:47:32 -05:00
Tim Graham
98ef3829e9 Fixed #29890 -- Fixed FileSystemStorage crash if concurrent saves try to create the same directory. 
Regression in 632c4ffd9cb1da273303bcd8005fff216506c795.
 2018-10-31 19:28:11 -04:00
Jon Dufresne
e90af8bad4 Capitalized "Python" in docs and comments. 2018-10-09 09:26:07 -04:00
Sergey Fedoseev
8ef8bc0f64 Refs #28909 -- Simplifed code using unpacking generalizations. 2018-09-28 09:57:12 -04:00
Jon Dufresne
e7d7d47b93 Fixed ResourceWarning from unclosed test files. 
When running Django tests with Python warnings enabled.
 2018-07-10 12:26:19 +02:00
Jon Prindiville
b4cba4ed62 Fixed #28144 -- Added FileSystemStorage.OS_OPEN_FLAGS to allow customization. 2018-06-29 15:51:59 -04:00
Claude Paroz
8e960c5aba Removed urllib2 reference in file storage tests 2018-04-27 14:02:39 +02:00
Jon Dufresne
2c69824e5a Refs #23968 -- Removed unnecessary lists, generators, and tuple calls. 2017-06-01 19:08:59 -04:00
Rajesh Veeranki
67e1afb4a8 Fixed #28224 -- Tested for SuspiciousOperation subclasses in Django's tests. 2017-05-25 08:19:01 -04:00
Vytis Banaitis
9cbf48693d Refs #27836 -- Fixed cleanup exception in file_storage test. 
TemporaryDirectory tries to delete the directory that was already removed.
 2017-03-01 12:52:28 -05:00
chillaranand
e4025563ea Fixed #27836 -- Allowed FileSystemStorage.delete() to remove directories. 2017-02-24 16:02:33 -05:00
Tim Graham
29f607927f Fixed spelling of "nonexistent". 2017-02-03 08:01:45 -05:00
chillaranand
d6eaf7c018 Refs #23919 -- Replaced super(ClassName, self) with super(). 2017-01-25 12:23:46 -05:00
Tim Graham
632c4ffd9c Refs #23919 -- Replaced errno checking with PEP 3151 exceptions. 2017-01-25 10:13:08 -05:00
Tim Graham
4e729feaa6 Refs #23919 -- Removed django.utils._os.upath()/npath()/abspathu() usage. 
These functions do nothing on Python 3.
 2017-01-20 08:01:02 -05:00
Tim Graham
109b33f64c Refs #23919 -- Simplified assertRaisesRegex()'s that accounted for Python 2. 2017-01-20 08:49:47 +01:00
Claude Paroz
2b281cc35e Refs #23919 -- Removed most of remaining six usage 
Thanks Tim Graham for the review.
 2017-01-18 21:33:28 +01:00
Claude Paroz
d7b9aaa366 Refs #23919 -- Removed encoding preambles and future imports 2017-01-18 09:55:19 +01:00
Tim Graham
0dfc5479a8 Refs #26058 -- Removed deprecated FileField.get_directory_name()/get_filename(). 2017-01-17 20:52:04 -05:00
Tim Graham
2d7fb77987 Refs #23832 -- Removed deprecated non-timezone aware Storage API. 2017-01-17 20:52:03 -05:00
Tim Graham
b5f0b3478d Fixed #27579 -- Added aliases for Python 3's assertion names in SimpleTestCase. 2016-12-07 17:42:31 -05:00
za
321e94fa41 Refs #27392 -- Removed "Tests that", "Ensures that", etc. from test docstrings. 2016-11-10 21:30:21 -05:00
Tim Graham
414ad25b09 Fixed #27327 -- Simplified time zone handling by requiring pytz. 2016-10-27 08:53:20 -04:00
Chris Sinchok
ac1975b18b Fixed #13809 -- Made FieldFile.open() respect its mode argument. 2016-08-09 12:53:18 -04:00
Tomas Pazderka
b820b6108a Fixed #26896 -- Allowed a lazy base_url for FileSystemStorage. 2016-07-29 14:13:54 -04:00
Paul J Stevens
b45852c263 Refs #26772 -- Added a test for FileField reopening closed files. 
Thanks Simon Charette for review.
 2016-06-18 11:06:56 -04:00
Tim Graham
cd217de610 Reverted "Fixed #26644 -- Allowed wrapping NamedTemporaryFile with File." 
This reverts commit 1b407050dd53e56686fdd3e168f8cac4f9be8306 as it
introduces a regression in the test for refs #26772.
 2016-06-18 11:06:56 -04:00
Tim Graham
7def55c3f6 Reverted "Fixed #26398 -- Made FieldFile.open() respect its mode argument." 
This reverts commit a52a531a8b34f049fba11c3ee7b010af7534bf90 due to
regressions described in refs #26772.
 2016-06-17 21:04:02 -04:00
Hugo Osvaldo Barrera
1b407050dd Fixed #26644 -- Allowed wrapping NamedTemporaryFile with File. 
914c72be2abb1c6dd860cb9279beaa66409ae1b2 introduced a regression that
causes saving a NamedTemporaryFile in a FileField to raise a
SuspiciousFileOperation. To remedy this, if a File has an absolute
path as a filename, use only the basename as the filename.
 2016-06-14 09:28:08 -04:00
Simon Charette
271581df60 Refs #26712 -- Removed workarounds for PostgreSQL queries on TIME_ZONE changes. 2016-06-06 11:26:21 -04:00
Cristiano
914c72be2a Fixed #26058 -- Delegated os.path bits of FileField's filename generation to the Storage. 2016-04-30 17:22:40 -04:00
Maxim Novikov
4d1c229ee5 Fixed #26495 -- Added name arg to Storage.save()'s File wrapping. 2016-04-21 10:40:48 -04:00
Tim Graham
92053acbb9 Fixed E128 flake8 warnings in tests/. 2016-04-08 10:12:33 -04:00
rixx
fdf5cd3429 Fixed #25905 -- Prevented leading slashes in urljoin() calls 
Leading slashes in the second urljoin argument will return exactly that

argument, breaking FileSystemStorage.url behavior if called with a

parameter with leading slashes.

Also added test cases for null bytes and None. Thanks to Markus for

help and review.
 2016-04-03 17:21:56 +02:00
Alexey Kotlyarov
a52a531a8b Fixed #26398 -- Made FieldFile.open() respect its mode argument. 2016-03-23 10:05:26 -04:00
James Aylett
1ff6e37de4 Fixed #23832 -- Added timezone aware Storage API. 
New Storage.get_{accessed,created,modified}_time() methods convert the
naive time from now-deprecated {accessed,created_modified}_time()
methods into aware objects in UTC if USE_TZ=True.
 2016-02-23 18:51:43 -05:00
Hasan
253adc2b8a Refs #26022 -- Used context manager version of assertRaisesMessage in tests. 2016-01-29 13:03:39 -05:00
Hasan
3d0dcd7f5a Refs #26022 -- Used context manager version of assertRaises in tests. 2016-01-29 12:32:18 -05:00
Simon Charette
56c461a0d7 Fixed #26038 -- Changed FileSystemStorage defaults on setting change. 
Thanks to Dave Voutila for the report and Tim for the review.
 2016-01-07 12:04:39 -05:00
Tim Graham
9f6b704769 Fixed #21042 -- Allowed accessing FileDescriptor on the model class. 
This is consistent with ability to reference other descriptors
on the model class (5ef0c03ae9aca99289737ba6d88a371ad95cf432).
 2015-10-01 15:19:39 -04:00
Tim Graham
1bb6ecf6d3 Refs #9893 -- Removed shims for lack of max_length support in file storage per deprecation timeline. 2015-09-23 19:31:10 -04:00
Tim Graham
aaacaeb096 Renamed RemovedInDjangoXYWarnings for new roadmap. 
Forwardport of ae1d663b7913f6da233c55409c4973248372d302
from stable/1.8.x plus more.
 2015-06-24 16:08:20 -04:00
Claude Paroz
170f7115bb Fixed #24826 -- Accounted for filesystem-dependent filename max length 
Thanks Raphaël Hertzog for the report and help on the patch, and Tim Graham
for the review.
 2015-05-22 20:06:31 +02:00
Tim Graham
e2b77acedd Fixed typo in file_storage tests. 2015-05-20 13:05:41 -04:00