assets: double check for null bytes in filename (#86356)

combo/apps/assets/views.py

@@ -196,6 +196,9 @@ class AssetOverwrite(FormView):
             os.stat(default_storage.path(img_orig))
         except ValueError:
             raise PermissionDenied()
+        if '\x00' in img_orig:
+            # os.stat should have raised "embedded null byte" but double check
+            raise PermissionDenied()
 
         upload = self.request.FILES['upload']
 
@@ -249,6 +252,9 @@ class AssetDelete(TemplateView):
             os.stat(default_storage.path(img_orig))
         except ValueError:
             raise PermissionDenied()
+        if '\x00' in img_orig:
+            # os.stat should have raised "embedded null byte" but double check
+            raise PermissionDenied()
 
         default_storage.delete(img_orig)
         return redirect(Assets(request=self.request).get_anchored_url(name=os.path.basename(img_orig)))