id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
35607	Improve Storage base backend API flexibility to allow filename validation to be overridden safely	Natalia Bidart	Natalia Bidart	"Currently, Django's Storage base backend API provides limited flexibility with regards to customization, particularly concerning filename validation. This rigidity has historically led to challenges and security concerns. See for example [https://nvd.nist.gov/vuln/detail/CVE-2024-39330 CVE-2024-39330], [https://nvd.nist.gov/vuln/detail/CVE-2021-45452 CVE-2021-45452], and [https://nvd.nist.gov/vuln/detail/CVE-2021-31542 CVE-2021-31542].

To address this, I'm proposing revisiting and enhancing the public API of storage backends to support customizable validation methods. This was also discussed internally in the Django Security mailing list. This public validation method would provide a default implementation very similar to the current validations, and should be used to replace the ad-hoc validations being done in save, generate_filename, and get_available_name.
"	Cleanup/optimization	assigned	File uploads/storage		Normal		storages	Josh Schneier Shai Berger	Accepted	0	0	0	0	0	0