id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
32718	Saving a FileField raises SuspiciousFileOperation in some scenarios.	Jakub Kleň	Mariusz Felisiak	"I came across this issue today when I was updating Django from 3.2.0 -> 3.2.1.
It's directly caused by: [https://docs.djangoproject.com/en/3.2/releases/3.2.1/#cve-2021-31542-potential-directory-traversal-via-uploaded-files]

Starting from 3.2.1, Django requires that only the basename is passed to `FieldFile.save` method, because otherwise it raises a new exception:
{{{
SuspiciousFileOperation: File name ... includes path elements
}}}
The issue is that in `FileField.pre_save`, a full path is passed to `FieldFile.save`, causing the exception to be raised.

Correct me if I'm wrong, but file-like objects always contain the full path to the file in the `name` attribute (the built-in Django `File` class even uses it to reopen the file if it was closed), and so it seems to be a bug in Django itself.

Steps to reproduce:
{{{
model_instance.file_attribute = File(open(path, 'rb'))
model_instance.save()
}}}

I also created a PR with the fix: [https://github.com/django/django/pull/14354]"	Bug	closed	Database layer (models, ORM)	2.2	Release blocker	fixed	3.2.1 file model filefield fieldfile	Carlton Gibson Florian Apolloner Markus Holtermann	Accepted	1	0	0	0	0	0