easy-thumbnails icon indicating copy to clipboard operation
easy-thumbnails copied to clipboard
verified publisher icon SmileyChris

Django 4.2.14 (and 5.0.7) fixes of CVE-2024-39330 break thumbnail generation when optimisations is used

Open heppstux opened this issue 1 year ago • 3 comments

If set up with easy_thumbnails.optimize, generating any thumbnails will throw:

Detected path traversal attempt in '/Users/[redacted]/media/filer_public_thumbnails/filer_public/b8/0c/b80ca369-7e6f-41fd-8abe-9275a921bdaa/fullsizerender.jpeg__210x119_q85_subsampling-2_upscale.jpg'

The exception is thrown in optimize/post_processor.py while attempting to call storage.save with an absolute file name.

This is prevented by django in order to fix CVE-2024-39330.

I'm a bit unsure, if this is an issue for easy_thumbnails or rather Django.

heppstux avatar Jul 11 '24 17:07 heppstux

Pull request in: https://github.com/SmileyChris/easy-thumbnails/pull/634

If I'm not missing something, the storage save/delete methods should receive a name, not a path.

bmihelac avatar Jul 16 '24 12:07 bmihelac

This is solved since 2.9.0, isn't it?

tschale avatar Mar 04 '25 13:03 tschale

Yeah, this issue is fixed and can be closed.

benkonrath avatar Jun 10 '25 11:06 benkonrath