Re: [Django] #32718: [3.2.1] Issue with assigning file to FileField

Fri, 07 May 2021 00:12:21 -0700 

#32718: [3.2.1] Issue with assigning file to FileField
-------------------------------------+-------------------------------------
     Reporter:  Jakub Kleň           |                    Owner:  nobody
         Type:  Bug                  |                   Status:  new
    Component:  Database layer       |                  Version:  2.2
  (models, ORM)                      |
     Severity:  Release blocker      |               Resolution:
     Keywords:  3.2.1 file model     |             Triage Stage:  Accepted
  filefield fieldfile                |
    Has patch:  1                    |      Needs documentation:  1
  Needs tests:  1                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Florian Apolloner):

 Replying to [comment:21 Brian Bouterse]:
 > Here the `SuspiciousFileOperation` is also raised on the saving of
 `MyModelWithUploadTo`. Do you all know why this difference is significant?

 This is perfect! The difference can be significant due to this:
 
https://github.com/django/django/blob/c4ee3b208a2c95a5102b5e4fa789b10f8ee29b84/django/db/models/fields/files.py#L309-L322
 -- This means when upload_to is set it is supposed to return the final
 filename (including  a path relative path). Since you are just returning
 'qqq' there it will be valid in 2.2.20. 2.2.21 validates the name
 beforehand and will break that. This really helps. Phillip had similar
 code (ie `upload_to` in a function as well).

 > As a practical matter, I'm still trying to figure out if another release
 removing these two lines will occur, or if the CVE description needs
 revision. Do you have some advice for me on which you think will happen?

 There will be another release fixing this and the CVE will probably get
 adjusted to drop the sentence "Specifically, empty file names and paths
 with dot segments will be
 rejected.". Does the wording make more sense for you then?

 > Thank you for everything. Our project and users really appreciate it.
 Please let me know how we can help.

 Will do, testing will certainly help once we have a suitable PR :)

-- 
Ticket URL: <https://code.djangoproject.com/ticket/32718#comment:24>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/064.b5a88764e0dfb149e543e488786ed15c%40djangoproject.com.

Reply via email to