1
0
mirror of https://github.com/django/django.git synced 2025-01-27 18:49:23 +00:00

[3.1.x] Fixed #28132 -- Made MultiPartParser ignore filenames with trailing slash.

Backport of 36db4dd937ae11c5b687c5d2e5fa3c27e4140001 from master
This commit is contained in:
Michael Brown 2020-06-08 12:55:27 -04:00 committed by Mariusz Felisiak
parent 4385ef0119
commit 45ec013116
3 changed files with 11 additions and 4 deletions

View File

@ -620,6 +620,7 @@ answer newbie questions, and generally made Django that much better:
Maximillian Dornseif <md@hudora.de>
mccutchen@gmail.com
Meir Kriheli <http://mksoft.co.il/>
Michael S. Brown <michael@msbrown.net>
Michael Hall <mhall1@ualberta.ca>
Michael Josephson <http://www.sdjournal.com/>
Michael Manfre <mmanfre@gmail.com>

View File

@ -9,6 +9,7 @@ import binascii
import cgi
import collections
import html
import os
from urllib.parse import unquote
from django.conf import settings
@ -208,6 +209,7 @@ class MultiPartParser:
# This is a file, use the handler...
file_name = disposition.get('filename')
if file_name:
file_name = os.path.basename(file_name)
file_name = force_str(file_name, encoding, errors='replace')
file_name = self.IE_sanitize(html.unescape(file_name))
if not file_name:

View File

@ -209,10 +209,14 @@ class FileUploadTests(TestCase):
Receiving file upload when filename is blank (before and after
sanitization) should be okay.
"""
# The second value is normalized to an empty name by
# MultiPartParser.IE_sanitize()
filenames = ['', 'C:\\Windows\\']
filenames = [
'',
# Normalized by MultiPartParser.IE_sanitize().
'C:\\Windows\\',
# Normalized by os.path.basename().
'/',
'ends-with-slash/',
]
payload = client.FakePayload()
for i, name in enumerate(filenames):
payload.write('\r\n'.join([