Skip to content

Commit 937efc8

Browse files
author
justin
committed
fix: 修复 Django 3.2.12+ 升级后 SuspiciousFileOperation 路径遍历检测错误
- AdminFileSystemStorage 设置默认 location="/" 允许使用绝对路径 - 解决 CVE-2022-24750 安全检查与项目绝对路径存储模式的冲突 - 本项目读写控制不存在用户直接指定路径的行为,此修改是安全的
1 parent b5ef780 commit 937efc8

2 files changed

Lines changed: 6 additions & 1 deletion

File tree

apps/core/files/storage.py

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -126,6 +126,11 @@ def __init__(
126126
directory_permissions_mode=None,
127127
file_overwrite=None,
128128
):
129+
# Django 3.2.12+ 新增路径遍历安全检查 (CVE-2022-24750)
130+
# 设置 location="/" 允许使用任意绝对路径,避免 SuspiciousFileOperation 异常
131+
# 本项目的读写控制不存在用户直接指定路径的行为,因此这是安全的
132+
if location is None:
133+
location = "/"
129134
FileSystemStorage.__init__(
130135
self,
131136
location=location,

requirements.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# 运行时依赖安装
22
wheel==0.37.0
33
blueapps[opentelemetry]==4.4.7
4-
Django==3.2.4
4+
Django==3.2.25
55
requests==2.22.0
66
celery==4.4.7
77
django-celery-beat==2.2.0

0 commit comments

Comments
 (0)