Oscar 2.0.4 release notes



This is Oscar 2.0.4, a security release.

Security fixes

The file handling behaviour of uploaded CSV files for ranges (handled by RangeProductListView) has been modified to address a potential security risk when invalid files are uploaded, as these would previously be left on disk if parsing of the uploaded file failed.

Uploaded files are no longer written to disk by Oscar, but processed directly from the temporary uploaded file.

This means that RangeProductFileUpload.filepath no longer stores a reference to the stored path of an uploaded file, but only its file name for reporting purposes. The filename property of RangeProductFileUpload has been removed.

The RangeProductListView.create_upload_object, RangeProductFileUpload.process and RangeProductFileUpload.extract_ids methods now both expect a file object as a positional argument. Projects that have overridden any of these methods will need to make corresponding changes.

The OSCAR_UPLOAD_ROOT setting which was used exclusively by this feature has been removed.

Thanks to Mina Mohsen Edwar for reporting this issue.