import_file_name form field can be use to access the filesystem

[avoine]

I've notice that your using the full path of the tempfile in the confirmation form.
While it would be hard to take advantage of this, it allows an attacker to try to read
and parse files by modifying the value of the hidden form field.

What I would propose is to use only the basename of the tempfile instead of the
full path. And then read it like this in the views:

import_file = open(os.path.join(tempfile.gettempdir(),                                         
os.path.basename(confirm_form.cleaned_data['import_file_name'])))

[bmihelac]

Thanks for report. This is valid issue and should be addressed asap even as you say it would be difficult to take advantage of it.

Besides using only basename in field, it should be also checked that absolute path of joined temp file starts with tempdir path, for cases when attacker change field value so it includes "../", etc.

Do you want to make a patch for this?

[bmihelac]

Oh, reading again I see you already take care of this with using base name.

[avoine]

yeah, hopefully you will have a pull request tomorrow.