0
0
mirror of https://github.com/django/django.git synced 2024-12-01 15:42:04 +01:00
django/tests/file_uploads/views.py
Mariusz Felisiak d4d800ca1a Fixed CVE-2021-28658 -- Fixed potential directory-traversal via uploaded files.
Thanks Claude Paroz for the initial patch.
Thanks Dennis Brinkrolf for the report.
2021-04-06 08:15:17 +02:00

174 lines
5.3 KiB
Python

import hashlib
import os
from django.core.files.uploadedfile import UploadedFile
from django.core.files.uploadhandler import TemporaryFileUploadHandler
from django.http import HttpResponse, HttpResponseServerError, JsonResponse
from .models import FileModel
from .tests import UNICODE_FILENAME, UPLOAD_TO
from .uploadhandler import (
ErroringUploadHandler, QuotaUploadHandler, StopUploadTemporaryFileHandler,
TraversalUploadHandler,
)
def file_upload_view(request):
"""
A file upload can be updated into the POST dictionary.
"""
form_data = request.POST.copy()
form_data.update(request.FILES)
if isinstance(form_data.get('file_field'), UploadedFile) and isinstance(form_data['name'], str):
# If a file is posted, the dummy client should only post the file name,
# not the full path.
if os.path.dirname(form_data['file_field'].name) != '':
return HttpResponseServerError()
return HttpResponse()
else:
return HttpResponseServerError()
def file_upload_view_verify(request):
"""
Use the sha digest hash to verify the uploaded contents.
"""
form_data = request.POST.copy()
form_data.update(request.FILES)
for key, value in form_data.items():
if key.endswith('_hash'):
continue
if key + '_hash' not in form_data:
continue
submitted_hash = form_data[key + '_hash']
if isinstance(value, UploadedFile):
new_hash = hashlib.sha1(value.read()).hexdigest()
else:
new_hash = hashlib.sha1(value.encode()).hexdigest()
if new_hash != submitted_hash:
return HttpResponseServerError()
# Adding large file to the database should succeed
largefile = request.FILES['file_field2']
obj = FileModel()
obj.testfile.save(largefile.name, largefile)
return HttpResponse()
def file_upload_unicode_name(request):
# Check to see if Unicode name came through properly.
if not request.FILES['file_unicode'].name.endswith(UNICODE_FILENAME):
return HttpResponseServerError()
# Check to make sure the exotic characters are preserved even
# through file save.
uni_named_file = request.FILES['file_unicode']
FileModel.objects.create(testfile=uni_named_file)
full_name = '%s/%s' % (UPLOAD_TO, uni_named_file.name)
return HttpResponse() if os.path.exists(full_name) else HttpResponseServerError()
def file_upload_echo(request):
"""
Simple view to echo back info about uploaded files for tests.
"""
r = {k: f.name for k, f in request.FILES.items()}
return JsonResponse(r)
def file_upload_echo_content(request):
"""
Simple view to echo back the content of uploaded files for tests.
"""
def read_and_close(f):
with f:
return f.read().decode()
r = {k: read_and_close(f) for k, f in request.FILES.items()}
return JsonResponse(r)
def file_upload_quota(request):
"""
Dynamically add in an upload handler.
"""
request.upload_handlers.insert(0, QuotaUploadHandler())
return file_upload_echo(request)
def file_upload_quota_broken(request):
"""
You can't change handlers after reading FILES; this view shouldn't work.
"""
response = file_upload_echo(request)
request.upload_handlers.insert(0, QuotaUploadHandler())
return response
def file_stop_upload_temporary_file(request):
request.upload_handlers.insert(0, StopUploadTemporaryFileHandler())
request.upload_handlers.pop(2)
request.FILES # Trigger file parsing.
return JsonResponse(
{'temp_path': request.upload_handlers[0].file.temporary_file_path()},
)
def file_upload_interrupted_temporary_file(request):
request.upload_handlers.insert(0, TemporaryFileUploadHandler())
request.upload_handlers.pop(2)
request.FILES # Trigger file parsing.
return JsonResponse(
{'temp_path': request.upload_handlers[0].file.temporary_file_path()},
)
def file_upload_getlist_count(request):
"""
Check the .getlist() function to ensure we receive the correct number of files.
"""
file_counts = {}
for key in request.FILES:
file_counts[key] = len(request.FILES.getlist(key))
return JsonResponse(file_counts)
def file_upload_errors(request):
request.upload_handlers.insert(0, ErroringUploadHandler())
return file_upload_echo(request)
def file_upload_filename_case_view(request):
"""
Check adding the file to the database will preserve the filename case.
"""
file = request.FILES['file_field']
obj = FileModel()
obj.testfile.save(file.name, file)
return HttpResponse('%d' % obj.pk)
def file_upload_content_type_extra(request):
"""
Simple view to echo back extra content-type parameters.
"""
params = {}
for file_name, uploadedfile in request.FILES.items():
params[file_name] = {k: v.decode() for k, v in uploadedfile.content_type_extra.items()}
return JsonResponse(params)
def file_upload_fd_closing(request, access):
if access == 't':
request.FILES # Trigger file parsing.
return HttpResponse()
def file_upload_traversal_view(request):
request.upload_handlers.insert(0, TraversalUploadHandler())
request.FILES # Trigger file parsing.
return JsonResponse(
{'file_name': request.upload_handlers[0].file_name},
)