From 36db4dd937ae11c5b687c5d2e5fa3c27e4140001 Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Mon, 8 Jun 2020 12:55:27 -0400 Subject: [PATCH] Fixed #28132 -- Made MultiPartParser ignore filenames with trailing slash. --- AUTHORS | 1 + django/http/multipartparser.py | 2 ++ tests/file_uploads/tests.py | 12 ++++++++---- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/AUTHORS b/AUTHORS index 1c5a1fee6b..3cb92e21da 100644 --- a/AUTHORS +++ b/AUTHORS @@ -621,6 +621,7 @@ answer newbie questions, and generally made Django that much better: Maximillian Dornseif mccutchen@gmail.com Meir Kriheli + Michael S. Brown Michael Hall Michael Josephson Michael Manfre diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py index 33d8814241..b3472f7be2 100644 --- a/django/http/multipartparser.py +++ b/django/http/multipartparser.py @@ -9,6 +9,7 @@ import binascii import cgi import collections import html +import os from urllib.parse import unquote from django.conf import settings @@ -208,6 +209,7 @@ class MultiPartParser: # This is a file, use the handler... file_name = disposition.get('filename') if file_name: + file_name = os.path.basename(file_name) file_name = force_str(file_name, encoding, errors='replace') file_name = self.IE_sanitize(html.unescape(file_name)) if not file_name: diff --git a/tests/file_uploads/tests.py b/tests/file_uploads/tests.py index 5743344a51..df8f1b8031 100644 --- a/tests/file_uploads/tests.py +++ b/tests/file_uploads/tests.py @@ -209,10 +209,14 @@ class FileUploadTests(TestCase): Receiving file upload when filename is blank (before and after sanitization) should be okay. """ - # The second value is normalized to an empty name by - # MultiPartParser.IE_sanitize() - filenames = ['', 'C:\\Windows\\'] - + filenames = [ + '', + # Normalized by MultiPartParser.IE_sanitize(). + 'C:\\Windows\\', + # Normalized by os.path.basename(). + '/', + 'ends-with-slash/', + ] payload = client.FakePayload() for i, name in enumerate(filenames): payload.write('\r\n'.join([