Context Navigation

Changes between Initial Version and Version 1 of Ticket #32718, comment 27

-              initial
+              v1
 > It should however, work for a **relative** file path.
+>
-> **Hack example here**
+>
-> {{{
-> # Some model
-> class FileModel(models.Model):
->     file_field = models.FileField(_('UsersFile'), storage='users', max_length=1000)
+>
-> model_inst = FileModel()
+>
-> # Add some file
-> new_file = ContentFile(some_file.read())
-> new_file.name = f"{user.name}/file.txt"    # E.g. "steve/file.txt"   <<< This file should only be for 'steve'
-> model_inst.file = new_file
+>
-> # Save the Model
-> model_inst.save()    #<<< in Django 3.2.0 this creates file "MEDIA_ROOT/users/steve/file.txt   ! which is correct
-> model_inst.save()    #<<< in Django 3.2.1 this FAILS with Path issue ! Incorrect
-> model_inst.save()    #<<< in Django Latest Git commit will create "MEDIA_ROOT/users/file.txt ! which is incorrect - missing path!
+>
-> # What we need to stop:
-> bad_file = ContentFile(malicious_script.read())
-> bad_file.name = "/etc/init.d/nameofscript.sh"
-> # or
-> bad_file.name = "../../../../../usr/local/lib/bad.file"
-> model_inst.file = bad_file
+>
-> # On Save we need to protect here - imho
-> model_inst.save()     # <<< This *should Fail* with Security Error
+>
-> }}}
+>
+>
+>
+>
+>
+>
 Absolute paths wouldn't be able to write shell scripts around the file system, because the path always starts with `MEDIA_ROOT`, and `../` and such are disallowed.