Opened 2 months ago
Closed 2 months ago
#35817 closed Bug (wontfix)
Regression in default_storage.save(path, source)
Reported by: | Caram | Owned by: | |
---|---|---|---|
Component: | File uploads/storage | Version: | 5.1 |
Severity: | Normal | Keywords: | |
Cc: | Caram | Triage Stage: | Unreviewed |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
I've just upgraded from 5.0.1 to 5.1 and my users have just been hit by this regression/feature in django/core/files/storage/base.py
.
2 new calls have been made to validate_file_name()
inside save()
. And this checks in particular that the path is not absolute - which it is in my case and it needs to be so, because I'm (intentionally) saving files to a different part of the filesystem.
This code had been working fine for ages and now it's broken.
Here is I believe a link to the culprit patch:
Change History (2)
comment:1 by , 2 months ago
comment:2 by , 2 months ago
Resolution: | → wontfix |
---|---|
Severity: | Release blocker → Normal |
Status: | new → closed |
Hello Caram,
As you have correctly found, this was indeed a security fix applied to all supported Django versions. The description of the issue was posted in https://www.djangoproject.com/weblog/2024/jul/09/security-releases/. This fix provides enhanced security and avoid potential path traversals in file storages.
We will not revert the security fix for the reasons stated in the post. What you could do is to use relative paths in the save
call and make those paths absolute inside the _save
method, just like the provided FileSystemStorage
do (see the full_path call). Another example of a well known storage doing this (mapping between absolute and relative paths, see _full_path) is the DropboxStorage
in django-storages
.
Actually this was introduced in 5.0.7: CVE-2024-39330: Potential directory-traversal via
Storage.save()