Opened 6 weeks ago
Closed 6 weeks ago
#35817 closed Bug (wontfix)
Regression in default_storage.save(path, source)
| Reported by: | Caram | Owned by: | |
|---|---|---|---|
| Component: | File uploads/storage | Version: | 5.1 |
| Severity: | Normal | Keywords: | |
| Cc: | Caram | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
I've just upgraded from 5.0.1 to 5.1 and my users have just been hit by this regression/feature in django/core/files/storage/base.py.
2 new calls have been made to validate_file_name() inside save(). And this checks in particular that the path is not absolute - which it is in my case and it needs to be so, because I'm (intentionally) saving files to a different part of the filesystem.
This code had been working fine for ages and now it's broken.
Here is I believe a link to the culprit patch:
Change History (2)
comment:1 by , 6 weeks ago
comment:2 by , 6 weeks ago
| Resolution: | → wontfix |
|---|---|
| Severity: | Release blocker → Normal |
| Status: | new → closed |
Hello Caram,
As you have correctly found, this was indeed a security fix applied to all supported Django versions. The description of the issue was posted in https://www.djangoproject.com/weblog/2024/jul/09/security-releases/. This fix provides enhanced security and avoid potential path traversals in file storages.
We will not revert the security fix for the reasons stated in the post. What you could do is to use relative paths in the save call and make those paths absolute inside the _save method, just like the provided FileSystemStorage do (see the full_path call). Another example of a well known storage doing this (mapping between absolute and relative paths, see _full_path) is the DropboxStorage in django-storages.
Actually this was introduced in 5.0.7: CVE-2024-39330: Potential directory-traversal via
Storage.save()