diff --git a/AUTHORS b/AUTHORS index 1c5a1fee6b..3cb92e21da 100644 --- a/AUTHORS +++ b/AUTHORS @@ -621,6 +621,7 @@ answer newbie questions, and generally made Django that much better: Maximillian Dornseif mccutchen@gmail.com Meir Kriheli + Michael S. Brown Michael Hall Michael Josephson Michael Manfre diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py index 33d8814241..b3472f7be2 100644 --- a/django/http/multipartparser.py +++ b/django/http/multipartparser.py @@ -9,6 +9,7 @@ import binascii import cgi import collections import html +import os from urllib.parse import unquote from django.conf import settings @@ -208,6 +209,7 @@ class MultiPartParser: # This is a file, use the handler... file_name = disposition.get('filename') if file_name: + file_name = os.path.basename(file_name) file_name = force_str(file_name, encoding, errors='replace') file_name = self.IE_sanitize(html.unescape(file_name)) if not file_name: diff --git a/tests/file_uploads/tests.py b/tests/file_uploads/tests.py index 5743344a51..df8f1b8031 100644 --- a/tests/file_uploads/tests.py +++ b/tests/file_uploads/tests.py @@ -209,10 +209,14 @@ class FileUploadTests(TestCase): Receiving file upload when filename is blank (before and after sanitization) should be okay. """ - # The second value is normalized to an empty name by - # MultiPartParser.IE_sanitize() - filenames = ['', 'C:\\Windows\\'] - + filenames = [ + '', + # Normalized by MultiPartParser.IE_sanitize(). + 'C:\\Windows\\', + # Normalized by os.path.basename(). + '/', + 'ends-with-slash/', + ] payload = client.FakePayload() for i, name in enumerate(filenames): payload.write('\r\n'.join([