Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Django security releases 4.0.1, 3.2.11, and 2.2.26 could break the storage check

See original GitHub issue

This could be config specific (our default root etc), but after upgrading to Django 2.2.26, we saw our watchman storage check consistently fail.

See CVE-2021-45452: Potential directory-traversal via Storage.save() on https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ (diff https://github.com/django/django/commit/6d343d01c57eb03ca1c6826318b652709e58a76e)

Example traceback (slightly redacted):

Traceback (most recent call last):
  File "/srv/[redacted]-py3/lib/python3.8/site-packages/watchman/decorators.py", line 28, in wrapped
    response = func(*args, **kwargs)
  File "/srv/[redacted]-py3/lib/python3.8/site-packages/watchman/checks.py", line 63, in _check_storage
    path = default_storage.save(filename, ContentFile(content))
  File "/srv/[redacted]-py3/lib/python3.8/site-packages/django/core/files/storage.py", line 56, in save
    validate_file_name(name, allow_relative_path=True)
  File "/srv/[redacted]-py3/lib/python3.8/site-packages/django/core/files/utils.py", line 18, in validate_file_name
    raise SuspiciousFileOperation(
django.core.exceptions.SuspiciousFileOperation: Detected path traversal attempt in '/usr/local/[redacted]/www/django-watchman-416abbee-8bbb-4f79-98d0-858aa4168824.txt'

Issue Analytics

  • State:open
  • Created 2 years ago
  • Reactions:1
  • Comments:9 (7 by maintainers)

github_iconTop GitHub Comments

1reaction
caylacommented, Jan 4, 2022

@mwarkentin That is exactly what we are going to do for today. 😃

1reaction
mwarkentincommented, Jan 4, 2022

@cayla thanks for letting me know about this… I’ll take a look shortly. 😃

Read more comments on GitHub >

github_iconTop Results From Across the Web

Django security releases issued: 4.0.1, 3.2.11, and 2.2.26
Storage.save() allowed directory-traversal if directly passed suitably crafted file names. Thanks to Dennis Brinkrolf for the report. This issue ...
Read more >
Djangoproject Django : List of security vulnerabilities
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to...
Read more >
Django security releases issued: 4.0.1, 3.2.11, and 2.2.26 ...
Blog post: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ Django 4.0.1, 3.2.11, and 2.2.26 fix three security issues.
Read more >
Search Results - CVE
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed ...
Read more >
django vulnerabilities
version published direct vulnerabilities 4.1.4 6 Dec, 2022 0. C. 0. H. 0. M. 0. L 4.1.3 1 Nov, 2022 0. C. 0. H. 0....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Returns 200 when custom check raises Exception

Next page

Make watchman settings importable