From 103d484807050c00d02641aa04670cea8d0e68a4 Mon Sep 17 00:00:00 2001 From: Malcolm Tredinnick Date: Sat, 26 Jul 2008 22:48:51 +0000 Subject: [PATCH] Fixed #7658 -- Added some Windows-specific tempfile handling. The standard stuff doesn't work with the way Django's file uploading code wants to operate. Patch from Mike Axiak. git-svn-id: http://code.djangoproject.com/svn/django/trunk@8096 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/core/files/temp.py | 58 +++++++++++++++++++++ django/core/files/uploadedfile.py | 3 +- tests/regressiontests/file_uploads/tests.py | 28 +++++----- 3 files changed, 74 insertions(+), 15 deletions(-) create mode 100644 django/core/files/temp.py diff --git a/django/core/files/temp.py b/django/core/files/temp.py new file mode 100644 index 0000000000..298fcbf0a5 --- /dev/null +++ b/django/core/files/temp.py @@ -0,0 +1,58 @@ +""" +The temp module provides a NamedTemporaryFile that can be re-opened on any +platform. Most platforms use the standard Python tempfile.TemporaryFile class, +but MS Windows users are given a custom class. + +This is needed because in Windows NT, the default implementation of +NamedTemporaryFile uses the O_TEMPORARY flag, and thus cannot be reopened [1]. + +1: http://mail.python.org/pipermail/python-list/2005-December/359474.html +""" + +import os +import tempfile + +__all__ = ('NamedTemporaryFile', 'gettempdir',) + +if os.name == 'nt': + class TemporaryFile(object): + """ + Temporary file object constructor that works in Windows and supports + reopening of the temporary file in windows. + """ + def __init__(self, mode='w+b', bufsize=-1, suffix='', prefix='', + dir=None): + fd, name = tempfile.mkstemp(suffix=suffix, prefix=prefix, + dir=dir) + self.name = name + self._file = os.fdopen(fd, mode, bufsize) + + def __del__(self): + try: + self._file.close() + except (OSError, IOError): + pass + try: + os.unlink(self.name) + except (OSError): + pass + + try: + super(TemporaryFile, self).__del__() + except AttributeError: + pass + + + def read(self, *args): return self._file.read(*args) + def seek(self, offset): return self._file.seek(offset) + def write(self, s): return self._file.write(s) + def close(self): return self._file.close() + def __iter__(self): return iter(self._file) + def readlines(self, size=None): return self._file.readlines(size) + def xreadlines(self): return self._file.xreadlines() + + NamedTemporaryFile = TemporaryFile +else: + NamedTemporaryFile = tempfile.NamedTemporaryFile + +gettempdir = tempfile.gettempdir diff --git a/django/core/files/uploadedfile.py b/django/core/files/uploadedfile.py index 7f515f94d4..c498561c18 100644 --- a/django/core/files/uploadedfile.py +++ b/django/core/files/uploadedfile.py @@ -3,7 +3,6 @@ Classes representing uploaded files. """ import os -import tempfile import warnings try: from cStringIO import StringIO @@ -12,6 +11,8 @@ except ImportError: from django.conf import settings +from django.core.files import temp as tempfile + __all__ = ('UploadedFile', 'TemporaryUploadedFile', 'InMemoryUploadedFile', 'SimpleUploadedFile') # Because we fooled around with it a bunch, UploadedFile has a bunch diff --git a/tests/regressiontests/file_uploads/tests.py b/tests/regressiontests/file_uploads/tests.py index 601fc92688..aada1e1ff2 100644 --- a/tests/regressiontests/file_uploads/tests.py +++ b/tests/regressiontests/file_uploads/tests.py @@ -2,9 +2,9 @@ import os import errno import sha import shutil -import tempfile import unittest +from django.core.files import temp as tempfile from django.core.files.uploadedfile import SimpleUploadedFile from django.test import TestCase, client from django.utils import simplejson @@ -22,7 +22,7 @@ class FileUploadTests(TestCase): def test_large_upload(self): tdir = tempfile.gettempdir() - + file1 = tempfile.NamedTemporaryFile(suffix=".file1", dir=tdir) file1.write('a' * (2 ** 21)) file1.seek(0) @@ -58,11 +58,11 @@ class FileUploadTests(TestCase): pass self.assertEqual(response.status_code, 200) - + def test_dangerous_file_names(self): """Uploaded file names should be sanitized before ever reaching the view.""" # This test simulates possible directory traversal attacks by a - # malicious uploader We have to do some monkeybusiness here to construct + # malicious uploader We have to do some monkeybusiness here to construct # a malicious payload with an invalid file name (containing os.sep or # os.pardir). This similar to what an attacker would need to do when # trying such an attack. @@ -79,7 +79,7 @@ class FileUploadTests(TestCase): "..\\..\\hax0rd.txt", # Relative path, win-style. "../..\\hax0rd.txt" # Relative path, mixed. ] - + payload = [] for i, name in enumerate(scary_file_names): payload.extend([ @@ -93,7 +93,7 @@ class FileUploadTests(TestCase): '--' + client.BOUNDARY + '--', '', ]) - + payload = "\r\n".join(payload) r = { 'CONTENT_LENGTH': len(payload), @@ -109,7 +109,7 @@ class FileUploadTests(TestCase): for i, name in enumerate(scary_file_names): got = recieved["file%s" % i] self.assertEqual(got, "hax0rd.txt") - + def test_filename_overflow(self): """File names over 256 characters (dangerous on some platforms) get fixed up.""" name = "%s.txt" % ("f"*500) @@ -131,26 +131,26 @@ class FileUploadTests(TestCase): } got = simplejson.loads(self.client.request(**r).content) self.assert_(len(got['file']) < 256, "Got a long file name (%s characters)." % len(got['file'])) - + def test_custom_upload_handler(self): - # A small file (under the 5M quota) + # A small file (under the 5M quota) smallfile = tempfile.NamedTemporaryFile() smallfile.write('a' * (2 ** 21)) # A big file (over the quota) bigfile = tempfile.NamedTemporaryFile() bigfile.write('a' * (10 * 2 ** 20)) - + # Small file posting should work. response = self.client.post('/file_uploads/quota/', {'f': open(smallfile.name)}) got = simplejson.loads(response.content) self.assert_('f' in got) - + # Large files don't go through. response = self.client.post("/file_uploads/quota/", {'f': open(bigfile.name)}) got = simplejson.loads(response.content) self.assert_('f' not in got) - + def test_broken_custom_upload_handler(self): f = tempfile.NamedTemporaryFile() f.write('a' * (2 ** 21)) @@ -189,7 +189,7 @@ class FileUploadTests(TestCase): class DirectoryCreationTests(unittest.TestCase): """ - Tests for error handling during directory creation + Tests for error handling during directory creation via _save_FIELD_file (ticket #6450) """ def setUp(self): @@ -221,7 +221,7 @@ class DirectoryCreationTests(unittest.TestCase): except IOError, err: # The test needs to be done on a specific string as IOError # is raised even without the patch (just not early enough) - self.assertEquals(err.args[0], + self.assertEquals(err.args[0], "%s exists and is not a directory" % UPLOAD_TO) except: self.fail("IOError not raised")