mirror of
				https://github.com/django/django.git
				synced 2025-10-25 06:36:07 +00:00 
			
		
		
		
	Fixed #12397 -- allow safe_join to work with the root file system path, which means you can have your root template or file upload path at this location. You almost certainly don't want to do this, except in *very* limited sandboxed situations.
This commit is contained in:
		| @@ -1,6 +1,6 @@ | |||||||
| import os | import os | ||||||
| import stat | import stat | ||||||
| from os.path import join, normcase, normpath, abspath, isabs, sep | from os.path import join, normcase, normpath, abspath, isabs, sep, dirname | ||||||
| from django.utils.encoding import force_text | from django.utils.encoding import force_text | ||||||
| from django.utils import six | from django.utils import six | ||||||
|  |  | ||||||
| @@ -41,13 +41,16 @@ def safe_join(base, *paths): | |||||||
|     paths = [force_text(p) for p in paths] |     paths = [force_text(p) for p in paths] | ||||||
|     final_path = abspathu(join(base, *paths)) |     final_path = abspathu(join(base, *paths)) | ||||||
|     base_path = abspathu(base) |     base_path = abspathu(base) | ||||||
|     base_path_len = len(base_path) |  | ||||||
|     # Ensure final_path starts with base_path (using normcase to ensure we |     # Ensure final_path starts with base_path (using normcase to ensure we | ||||||
|     # don't false-negative on case insensitive operating systems like Windows) |     # don't false-negative on case insensitive operating systems like Windows), | ||||||
|     # and that the next character after the final path is os.sep (or nothing, |     # further, one of the following conditions must be true: | ||||||
|     # in which case final_path must be equal to base_path). |     #  a) The next character is the path separator (to prevent conditions like | ||||||
|     if not normcase(final_path).startswith(normcase(base_path)) \ |     #     safe_join("/dir", "/../d")) | ||||||
|        or final_path[base_path_len:base_path_len+1] not in ('', sep): |     #  b) The final path must be the same as the base path. | ||||||
|  |     #  c) The base path must be the most root path (meaning either "/" or "C:\\") | ||||||
|  |     if (not normcase(final_path).startswith(normcase(base_path + sep)) and | ||||||
|  |         normcase(final_path) != normcase(base_path) and | ||||||
|  |         dirname(normcase(base_path)) != normcase(base_path)): | ||||||
|         raise ValueError('The joined path (%s) is located outside of the base ' |         raise ValueError('The joined path (%s) is located outside of the base ' | ||||||
|                          'path component (%s)' % (final_path, base_path)) |                          'path component (%s)' % (final_path, base_path)) | ||||||
|     return final_path |     return final_path | ||||||
|   | |||||||
							
								
								
									
										21
									
								
								tests/regressiontests/utils/os_utils.py
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								tests/regressiontests/utils/os_utils.py
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | |||||||
|  | from django.utils import unittest | ||||||
|  | from django.utils._os import safe_join | ||||||
|  |  | ||||||
|  |  | ||||||
|  | class SafeJoinTests(unittest.TestCase): | ||||||
|  |     def test_base_path_ends_with_sep(self): | ||||||
|  |         self.assertEqual( | ||||||
|  |             safe_join("/abc/", "abc"), | ||||||
|  |             "/abc/abc", | ||||||
|  |         ) | ||||||
|  |  | ||||||
|  |     def test_root_path(self): | ||||||
|  |         self.assertEqual( | ||||||
|  |             safe_join("/", "path"), | ||||||
|  |             "/path", | ||||||
|  |         ) | ||||||
|  |  | ||||||
|  |         self.assertEqual( | ||||||
|  |             safe_join("/", ""), | ||||||
|  |             "/", | ||||||
|  |         ) | ||||||
| @@ -21,6 +21,7 @@ from .http import TestUtilsHttp | |||||||
| from .ipv6 import TestUtilsIPv6 | from .ipv6 import TestUtilsIPv6 | ||||||
| from .jslex import JsToCForGettextTest, JsTokensTest | from .jslex import JsToCForGettextTest, JsTokensTest | ||||||
| from .module_loading import CustomLoader, DefaultLoader, EggLoader | from .module_loading import CustomLoader, DefaultLoader, EggLoader | ||||||
|  | from .os_utils import SafeJoinTests | ||||||
| from .regex_helper import NormalizeTests | from .regex_helper import NormalizeTests | ||||||
| from .simplelazyobject import TestUtilsSimpleLazyObject | from .simplelazyobject import TestUtilsSimpleLazyObject | ||||||
| from .termcolors import TermColorTests | from .termcolors import TermColorTests | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user