#32718: [3.2.1] Issue with assigning file to FileField -------------------------------------+------------------------------------- Reporter: Jakub Kleň | Owner: nobody Type: Bug | Status: new Component: Database layer | Version: 2.2 (models, ORM) | Severity: Release blocker | Resolution: Keywords: 3.2.1 file model | Triage Stage: Accepted filefield fieldfile | Has patch: 1 | Needs documentation: 1 Needs tests: 1 | Patch needs improvement: 1 Easy pickings: 0 | UI/UX: 0 -------------------------------------+-------------------------------------
Comment (by Florian Apolloner): Replying to [comment:21 Brian Bouterse]: > Here the `SuspiciousFileOperation` is also raised on the saving of `MyModelWithUploadTo`. Do you all know why this difference is significant? This is perfect! The difference can be significant due to this: https://github.com/django/django/blob/c4ee3b208a2c95a5102b5e4fa789b10f8ee29b84/django/db/models/fields/files.py#L309-L322 -- This means when upload_to is set it is supposed to return the final filename (including a path relative path). Since you are just returning 'qqq' there it will be valid in 2.2.20. 2.2.21 validates the name beforehand and will break that. This really helps. Phillip had similar code (ie `upload_to` in a function as well). > As a practical matter, I'm still trying to figure out if another release removing these two lines will occur, or if the CVE description needs revision. Do you have some advice for me on which you think will happen? There will be another release fixing this and the CVE will probably get adjusted to drop the sentence "Specifically, empty file names and paths with dot segments will be rejected.". Does the wording make more sense for you then? > Thank you for everything. Our project and users really appreciate it. Please let me know how we can help. Will do, testing will certainly help once we have a suitable PR :) -- Ticket URL: <https://code.djangoproject.com/ticket/32718#comment:24> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/064.b5a88764e0dfb149e543e488786ed15c%40djangoproject.com.