1
0
mirror of https://github.com/django/django.git synced 2025-01-25 01:30:48 +00:00
Aymeric Augustin 7f6fbc906a Prevented static file corruption when URL fragment contains '..'.
When running collectstatic with a hashing static file storage backend,
URLs referencing other files were normalized with posixpath.normpath.
This could corrupt URLs: for example 'a.css#b/../c' became just 'c'.

Normalization seems to be an artifact of the historical implementation.
It contained a home-grown implementation of posixpath.join which relied
on counting occurrences of .. and /, so multiple / had to be collapsed.

The new implementation introduced in the previous commit doesn't suffer
from this issue. So it seems safe to remove the normalization.

There was a test for this normalization behavior but I don't think it's
a good test. Django shouldn't modify CSS that way. If a developer has
rendundant /s, it's mostly an aesthetic issue and it isn't Django's job
to fix it. Conversely, if the user wants a series of /s, perhaps in the
URL fragment, Django shouldn't destroy it.

Refs #26249.
2016-02-23 19:35:16 +01:00

10 lines
359 B
CSS

@font-face {
src: url('fonts/font.eot?#iefix') format('embedded-opentype'),
url('fonts/font.svg#webfontIyfZbseF') format('svg');
url('fonts/font.svg#path/to/../../fonts/font.svg') format('svg');
url('data:font/woff;charset=utf-8;base64,d09GRgABAAAAADJoAA0AAAAAR2QAAQAAAAAAAAAAAAA');
}
div {
behavior: url("#default#VML");
}