=======================
Oscar 2.0.4 release notes
=======================

:release: 2019-12-05

This is Oscar 2.0.4, a security release.

Security fixes
==============

The file handling behaviour of uploaded CSV files for ranges (handled by
``RangeProductListView``) has been modified to address a potential security
risk when invalid files are uploaded, as these would previously be left on disk
if parsing of the uploaded file failed.

Uploaded files are no longer written to disk by Oscar, but processed directly
from the temporary uploaded file.

This means that ``RangeProductFileUpload.filepath`` no longer stores a
reference to the stored path of an uploaded file, but only its file name for
reporting purposes. The ``filename`` property of ``RangeProductFileUpload``
has been removed.

The ``RangeProductListView.create_upload_object``,
``RangeProductFileUpload.process`` and ``RangeProductFileUpload.extract_ids``
methods now both expect a file object as a positional argument.
Projects that have overridden any of these methods will need to make
corresponding changes.

The ``OSCAR_UPLOAD_ROOT`` setting which was used exclusively by this feature has
been removed.

Thanks to Mina Mohsen Edwar for reporting this issue.