Changes between Initial Version and Version 1 of Ticket #32718, comment 27


Ignore:
Timestamp:
05/07/21 07:28:22 (21 months ago)
Author:
Jakub Kleň
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #32718, comment 27

    initial v1  
    44> It should however, work for a **relative** file path.
    55>
    6 > **Hack example here**
    7 >
    8 > {{{
    9 > # Some model
    10 > class FileModel(models.Model):
    11 >     file_field = models.FileField(_('UsersFile'), storage='users', max_length=1000)
    12 >
    13 > model_inst = FileModel()
    14 >
    15 > # Add some file
    16 > new_file = ContentFile(some_file.read())
    17 > new_file.name = f"{user.name}/file.txt"    # E.g. "steve/file.txt"   <<< This file should only be for 'steve'
    18 > model_inst.file = new_file
    19 >
    20 > # Save the Model
    21 > model_inst.save()    #<<< in Django 3.2.0 this creates file "MEDIA_ROOT/users/steve/file.txt   ! which is correct
    22 > model_inst.save()    #<<< in Django 3.2.1 this FAILS with Path issue ! Incorrect
    23 > model_inst.save()    #<<< in Django Latest Git commit will create "MEDIA_ROOT/users/file.txt ! which is incorrect - missing path!
    24 >
    25 > # What we need to stop:
    26 > bad_file = ContentFile(malicious_script.read())
    27 > bad_file.name = "/etc/init.d/nameofscript.sh"
    28 > # or
    29 > bad_file.name = "../../../../../usr/local/lib/bad.file"
    30 > model_inst.file = bad_file
    31 >
    32 > # On Save we need to protect here - imho
    33 > model_inst.save()     # <<< This *should Fail* with Security Error
    34 >
    35 > }}}
    36 >
    37 >
    38 >
    39 >
    40 >
    41 >
    426
    437Absolute paths wouldn't be able to write shell scripts around the file system, because the path always starts with `MEDIA_ROOT`, and `../` and such are disallowed.
Back to Top