{
    "Selected_candidate": {
        "pr_number": 14372,
        "pr_title": "Fixed #32718 -- Relaxed file name validation in FileField.",
        "pr_body": "See [comment](https://code.djangoproject.com/ticket/32718#comment:26), ticket-32718.\r\n\r\n- ~~If `filename` passed to the `FileField.generate_filename()` is an absolute path, it will be converted to the `os.path.basename(filename)`.~~\r\n- Validate `filename` returned by `FileField.upload_to()` not a `filename` passed to the `FileField.generate_filename()` (`upload_to()` may completely ignored passed `filename`).\r\n- Allow relative paths (without dot segments) in the generated file name.\r\n\r\nThanks Jakub Kleň for the report.\r\n\r\nRegression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3.\r\n\r\n- [x] Discuss support for absolute paths.\r\n- [x] Release notes.",
        "issue_id": 32718,
        "issue_title": "Saving a FileField raises SuspiciousFileOperation in some scenarios.",
        "issue_body": "I came across this issue today when I was updating Django from 3.2.0 -> 3.2.1.\nIt's directly caused by:\n​\nhttps://docs.djangoproject.com/en/3.2/releases/3.2.1/#cve-2021-31542-potential-directory-traversal-via-uploaded-files\nStarting from 3.2.1, Django requires that only the basename is passed to\nFieldFile.save\nmethod, because otherwise it raises a new exception:\nSuspiciousFileOperation: File name ... includes path elements\nThe issue is that in\nFileField.pre_save\n, a full path is passed to\nFieldFile.save\n, causing the exception to be raised.\nCorrect me if I'm wrong, but file-like objects always contain the full path to the file in the\nname\nattribute (the built-in Django\nFile\nclass even uses it to reopen the file if it was closed), and so it seems to be a bug in Django itself.\nSteps to reproduce:\nmodel_instance.file_attribute = File(open(path, 'rb'))\nmodel_instance.save()\nI also created a PR with the fix:\n​\nhttps://github.com/django/django/pull/14354",
        "issue_closed_at": "2021-05-13T01:53:57",
        "base_commit": "b81c7562fc33f50166d5120138d6398dc42b13c3",
        "changes": [
            {
                "file": "django/core/files/utils.py",
                "type": "line",
                "name": "line 1",
                "code": "import os\n\nfrom django.core.exceptions import SuspiciousFileOperation\n\n\ndef validate_file_name(name):\n    if name != os.path.basename(name):\n        raise SuspiciousFileOperation(\"File name '%s' includes path elements\" % name)\n\n    # Remove potentially dangerous names\n    if name in {'', '.', '..'}:\n        raise SuspiciousFileOperation(\"Could not derive file name from '%s'\" % name)\n\n    return name\n\n"
            },
            {
                "file": "django/db/models/fields/files.py",
                "type": "function",
                "name": "generate_filename",
                "class_name": "FileField",
                "code": "def generate_filename(self, instance, filename):\n        \"\"\"\n        Apply (if callable) or prepend (if a string) upload_to to the filename,\n        then delegate further processing of the name to the storage backend.\n        Until the storage layer, all file paths are expected to be Unix style\n        (with forward slashes).\n        \"\"\"\n        filename = validate_file_name(filename)\n        if callable(self.upload_to):\n            filename = self.upload_to(instance, filename)\n        else:\n            dirname = datetime.datetime.now().strftime(str(self.upload_to))\n            filename = posixpath.join(dirname, filename)\n        return self.storage.generate_filename(filename)"
            }
        ]
    },
    "Justification": "Candidate E is the most relevant as it addresses an issue in Django related to FileField which involves interaction with the database, particularly in scenarios where configurations might influence how files are saved and managed. Given that the CURRENT bug report highlights problems with database migration and management commands involving multi-tenant services, understanding how file handling occurs in conjunction with database migrations may provide insights into handling database parameters effectively during migration. Additionally, the patch details a relevant change in behavior which could unveil similar patterns of overlooked parameter handling, assisting in resolving issues raised in the CURRENT bug."
}