Oscar 2.0.4 release notes¶
This is Oscar 2.0.4, a security release.
The file handling behaviour of uploaded CSV files for ranges (handled by
RangeProductListView) has been modified to address a potential security
risk when invalid files are uploaded, as these would previously be left on disk
if parsing of the uploaded file failed.
Uploaded files are no longer written to disk by Oscar, but processed directly from the temporary uploaded file.
This means that
RangeProductFileUpload.filepath no longer stores a
reference to the stored path of an uploaded file, but only its file name for
reporting purposes. The
filename property of
has been removed.
methods now both expect a file object as a positional argument.
Projects that have overridden any of these methods will need to make
OSCAR_UPLOAD_ROOT setting which was used exclusively by this feature has
Thanks to Mina Mohsen Edwar for reporting this issue.