{
  "Selected_candidate": {
    "pr_number": 14372,
    "pr_title": "Fixed #32718 -- Relaxed file name validation in FileField.",
    "pr_body": "See [comment](https://code.djangoproject.com/ticket/32718#comment:26), ticket-32718.\r\n\r\n- ~~If `filename` passed to the `FileField.generate_filename()` is an absolute path, it will be converted to the `os.path.basename(filename)`.~~\r\n- Validate `filename` returned by `FileField.upload_to()` not a `filename` passed to the `FileField.generate_filename()` (`upload_to()` may completely ignored passed `filename`).\r\n- Allow relative paths (without dot segments) in the generated file name.\r\n\r\nThanks Jakub Kleň for the report.\r\n\r\nRegression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3.\r\n\r\n- [x] Discuss support for absolute paths.\r\n- [x] Release notes.",
    "issue_id": 32718,
    "issue_title": "Saving a FileField raises SuspiciousFileOperation in some scenarios.",
    "issue_body": "I came across this issue today when I was updating Django from 3.2.0 -> 3.2.1.\nIt's directly caused by:\n​\nhttps://docs.djangoproject.com/en/3.2/releases/3.2.1/#cve-2021-31542-potential-directory-traversal-via-uploaded-files\nStarting from 3.2.1, Django requires that only the basename is passed to\nFieldFile.save\nmethod, because otherwise it raises a new exception:\nSuspiciousFileOperation: File name ... includes path elements\nThe issue is that in\nFileField.pre_save\n, a full path is passed to\nFieldFile.save\n, causing the exception to be raised.\nCorrect me if I'm wrong, but file-like objects always contain the full path to the file in the\nname\nattribute (the built-in Django\nFile\nclass even uses it to reopen the file if it was closed), and so it seems to be a bug in Django itself.\nSteps to reproduce:\nmodel_instance.file_attribute = File(open(path, 'rb'))\nmodel_instance.save()\nI also created a PR with the fix:\n​\nhttps://github.com/django/django/pull/14354",
    "issue_closed_at": "2021-05-13T01:53:57",
    "base_commit": "b81c7562fc33f50166d5120138d6398dc42b13c3",
    "changes": [
      {
        "file": "django/core/files/utils.py",
        "type": "line",
        "name": "line 1",
        "code": "import os\n\nfrom django.core.exceptions import SuspiciousFileOperation\n\n\ndef validate_file_name(name):\n    if name != os.path.basename(name):\n        raise SuspiciousFileOperation(\"File name '%s' includes path elements\" % name)\n\n    # Remove potentially dangerous names\n    if name in {'', '.', '..'}:\n        raise SuspiciousFileOperation(\"Could not derive file name from '%s'\" % name)\n\n    return name\n\n"
      },
      {
        "file": "django/db/models/fields/files.py",
        "type": "function",
        "name": "generate_filename",
        "class_name": "FileField",
        "code": "def generate_filename(self, instance, filename):\n        \"\"\"\n        Apply (if callable) or prepend (if a string) upload_to to the filename,\n        then delegate further processing of the name to the storage backend.\n        Until the storage layer, all file paths are expected to be Unix style\n        (with forward slashes).\n        \"\"\"\n        filename = validate_file_name(filename)\n        if callable(self.upload_to):\n            filename = self.upload_to(instance, filename)\n        else:\n            dirname = datetime.datetime.now().strftime(str(self.upload_to))\n            filename = posixpath.join(dirname, filename)\n        return self.storage.generate_filename(filename)"
      }
    ]
  },
  "Justification": "Candidate E is the most relevant as it addresses an issue in Django related to FileField which involves interaction with the database, particularly in scenarios where configurations might influence how files are saved and managed. Given that the CURRENT bug report highlights problems with database migration and management commands involving multi-tenant services, understanding how file handling occurs in conjunction with database migrations may provide insights into handling database parameters effectively during migration. Additionally, the patch details a relevant change in behavior which could unveil similar patterns of overlooked parameter handling, assisting in resolving issues raised in the CURRENT bug.",
  "instance_id": "django__django-16400",
  "repo": "django/django",
  "created_at": "2022-12-23T17:17:00Z",
  "problem_statement": "migrate management command does not respect database parameter when adding Permissions.\nDescription\n\t \n\t\t(last modified by Vasanth)\n\t \nWhen invoking migrate with a database parameter, the migration runs successfully. However, there seems to be a DB read request that runs after the migration. This call does not respect the db param and invokes the db router .\nWhen naming the db as a parameter, all DB calls in the context of the migrate command are expected to use the database specified.\nI came across this as I am currently using a thread-local variable to get the active DB with a custom DB router for a multi-tenant service .\nMinimal example \nSetup the custom middleware and custom DB Router as show below. Then run any DB migration. We see that \"read {}\" is being printed before the exception message.\nIdeally none of this code must be called as the DB was specified during management command.\nfrom threading import local\nfrom django.conf import settings\nlocal_state = local()\nclass InvalidTenantException(Exception):\n\tpass\nclass TenantSubdomainMiddleware:\n\tdef __init__(self, get_response):\n\t\tself.get_response = get_response\n\tdef __call__(self, request):\n\t\t## Get Subdomain\n\t\thost = request.get_host().split(\":\")[0]\n\t\tlocal_state.subdomain = (\n\t\t\t# We assume single level of subdomain : app.service.com \n\t\t\t# HOST_IP : used to for local dev. \n\t\t\thost if host in settings.HOST_IP else host.split(\".\")[0]\n\t\t)\n\t\tresponse = self.get_response(request)\n\t\treturn response\nclass TenantDatabaseRouter:\n\tdef _default_db(self):\n\t\tsubdomain = getattr(local_state, \"subdomain\", None)\n\t\tif subdomain is not None and subdomain in settings.TENANT_MAP:\n\t\t\tdb_name = settings.TENANT_MAP[local_state.subdomain]\n\t\t\treturn db_name\n\t\telse:\n\t\t\traise InvalidTenantException()\n\tdef db_for_read(self, model, **hints):\n\t\tprint(\"read\", hints)\n\t\treturn self._default_db()\n\tdef db_for_write(self, model, **hints):\n\t\tprint(\"write\", hints)\n\t\treturn self._default_db()\n\tdef allow_relation(self, obj1, obj2, **hints):\n\t\treturn None\n\tdef allow_migrate(self, db, app_label, model_name=None, **hints):\n\t\treturn None\n## settings.py\nMIDDLEWARE = [\n\t\"utils.tenant_db_router.TenantSubdomainMiddleware\",\n\t\"django.middleware.security.SecurityMiddleware\",\n\t...\n]\nTENANT_MAP = {\"localhost\":\"default\", \"tenant_1\":\"default\"}\nDATABASE_ROUTERS = [\"utils.tenant_db_router.TenantDatabaseRouter\"]\n",
  "patch": "diff --git a/django/contrib/auth/management/__init__.py b/django/contrib/auth/management/__init__.py\n--- a/django/contrib/auth/management/__init__.py\n+++ b/django/contrib/auth/management/__init__.py\n@@ -95,11 +95,16 @@ def create_permissions(\n         .values_list(\"content_type\", \"codename\")\n     )\n \n-    perms = [\n-        Permission(codename=codename, name=name, content_type=ct)\n-        for ct, (codename, name) in searched_perms\n-        if (ct.pk, codename) not in all_perms\n-    ]\n+    perms = []\n+    for ct, (codename, name) in searched_perms:\n+        if (ct.pk, codename) not in all_perms:\n+            permission = Permission()\n+            permission._state.db = using\n+            permission.codename = codename\n+            permission.name = name\n+            permission.content_type = ct\n+            perms.append(permission)\n+\n     Permission.objects.using(using).bulk_create(perms)\n     if verbosity >= 2:\n         for perm in perms:\n"
}