Commit b10f8381 authored by Carlton Gibson's avatar Carlton Gibson
Browse files

[4.1.x] Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header.

parent f187c320f311
......@@ -556,7 +556,9 @@ class FileResponse(StreamingHttpResponse):
disposition = "attachment" if self.as_attachment else "inline"
try:
filename.encode("ascii")
file_expr = 'filename="{}"'.format(filename)
file_expr = 'filename="{}"'.format(
filename.replace("\\", "\\\\").replace('"', r"\"")
)
except UnicodeEncodeError:
file_expr = "filename*=utf-8''{}".format(quote(filename))
self.headers["Content-Disposition"] = "{}; {}".format(
......
......@@ -6,4 +6,10 @@ Django 3.2.15 release notes
Django 3.2.15 fixes a security issue with severity "high" in 3.2.14.
...
CVE-2022-36359: Potential reflected file download vulnerability in ``FileResponse``
===================================================================================
An application may have been vulnerable to a reflected file download (RFD)
attack that sets the Content-Disposition header of a
:class:`~django.http.FileResponse` when the ``filename`` was derived from
user-supplied input. The ``filename`` is now escaped to avoid this possibility.
......@@ -6,4 +6,10 @@ Django 4.0.7 release notes
Django 4.0.7 fixes a security issue with severity "high" in 4.0.6.
...
CVE-2022-36359: Potential reflected file download vulnerability in ``FileResponse``
===================================================================================
An application may have been vulnerable to a reflected file download (RFD)
attack that sets the Content-Disposition header of a
:class:`~django.http.FileResponse` when the ``filename`` was derived from
user-supplied input. The ``filename`` is now escaped to avoid this possibility.
......@@ -143,6 +143,41 @@ class FileResponseTests(SimpleTestCase):
'%s; filename="%s"' % (header_disposition, header_filename),
)
def test_content_disposition_escaping(self):
# fmt: off
tests = [
(
'multi-part-one";\" dummy".txt',
r"multi-part-one\";\" dummy\".txt"
),
]
# fmt: on
# Non-escape sequence backslashes are path segments on Windows, and are
# eliminated by an os.path.basename() check in FileResponse.
if sys.platform != "win32":
# fmt: off
tests += [
(
'multi-part-one\\";\" dummy".txt',
r"multi-part-one\\\";\" dummy\".txt"
),
(
'multi-part-one\\";\\\" dummy".txt',
r"multi-part-one\\\";\\\" dummy\".txt"
)
]
# fmt: on
for filename, escaped in tests:
with self.subTest(filename=filename, escaped=escaped):
response = FileResponse(
io.BytesIO(b"binary content"), filename=filename, as_attachment=True
)
response.close()
self.assertEqual(
response.headers["Content-Disposition"],
f'attachment; filename="{escaped}"',
)
def test_content_disposition_buffer(self):
response = FileResponse(io.BytesIO(b"binary content"))
self.assertFalse(response.has_header("Content-Disposition"))
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment