5👍
I found that django’s new mitigation code doesn’t agree with the project’s own File and ImageFile default behavior, which is to copy the exact file name from the object you gave the constructor.
applying a change like this to your code should fix it, like it fixed mine:
doc = '/tmp/mergedfile.pdf'
with open(doc, mode='rb') as f:
- job_files.job_file = File(f)
+ job_files.job_file = File(f, name=os.path.basename(doc))
job_files.save()
edit: The bug is now fixed in the django releases made today, May 13th, 2.23, versions 2.2.23, 3.1.11, 3.2.3
1👍
The best way to work around this is to simply upgrade to Django 2.2.23 or any most current version of Django, as this regression has been fixed 🙂
- [Django]-Drf-spectacular: Add OpenApiResponse to a serializer-less function-based view
- [Django]-Django Form with no required fields
0👍
Its due to mitigations for CVE-2021-31542 that were released recently https://www.djangoproject.com/weblog/2021/may/04/security-releases/
- [Django]-Store django forms.MultipleChoiceField in Models directly
- [Django]-Graphene-Django nested filters (relay)
- [Django]-How can I disable/remove authorize button in swagger drf_yasg (maintain CSRF) – django
- [Django]-Django only submitting csrf token in forms?
0👍
I also ran into this but needed to be able to programatically specify the upload directory. This change makes it impossible to put files in directories when passing a filename. It is still, however, possible to work around this new restriction by specifying a custom upload_to function.
Here is an example commit which works around this change:
+def get_invoice_dir(instance, filename):
+ return "dpnk-{}/{}".format(instance.campaign.pk, filename)
+
+
@with_author
class Invoice(StaleSyncMixin, AbstractOrder):
"""Faktura"""
@@ -103,14 +107,14 @@ class Invoice(StaleSyncMixin, AbstractOrder):
)
invoice_pdf = models.FileField(
verbose_name=_(u"PDF faktury"),
- upload_to=u"invoices",
+ upload_to=get_invoice_dir,
max_length=512,
blank=True,
null=True,
)
invoice_xml = models.FileField(
verbose_name=_("XML faktury"),
- upload_to="invoices",
+ upload_to=get_invoice_dir,
max_length=512,
blank=True,
null=True,
@@ -340,16 +344,13 @@ def create_and_send_invoice_files(sender, instance, created, **kwargs):
if not instance.invoice_pdf or not instance.invoice_xml:
invoice_data = invoice_gen.generate_invoice(instance)
instance.total_amount = invoice_data.price_tax
- filename = "dpnk-%s/%s" % (
- instance.campaign.pk,
- slugify(
- "invoice_%s_%s_%s_%s"
- % (
- instance.sequence_number,
- instance.company.name[0:40],
- instance.exposure_date.strftime("%Y-%m-%d"),
- uuid.uuid4(),
- ),
+ filename = slugify(
+ "invoice_%s_%s_%s_%s"
+ % (
+ instance.sequence_number,
+ instance.company.name[0:40],
+ instance.exposure_date.strftime("%Y-%m-%d"),
+ uuid.uuid4(),
),
)
- [Django]-Can't import: 'unable to import rest_framework' when importing serializer? (windows)
- [Django]-Queryset of people with a birthday in the next X days
- [Django]-TruncDate timezone parameter is not working in Django
- [Django]-Django querying on range of days with timezone.now and __range broken?
- [Django]-Manager isn't accessible via Blog instances