Fixed #28132 -- Made MultiPartParser ignore filenames with trailing slash.

This commit is contained in:
Michael Brown 2020-06-08 12:55:27 -04:00 committed by Mariusz Felisiak
parent 678c8dfee4
commit 36db4dd937
3 changed files with 11 additions and 4 deletions

View File

@ -621,6 +621,7 @@ answer newbie questions, and generally made Django that much better:
Maximillian Dornseif <md@hudora.de> Maximillian Dornseif <md@hudora.de>
mccutchen@gmail.com mccutchen@gmail.com
Meir Kriheli <http://mksoft.co.il/> Meir Kriheli <http://mksoft.co.il/>
Michael S. Brown <michael@msbrown.net>
Michael Hall <mhall1@ualberta.ca> Michael Hall <mhall1@ualberta.ca>
Michael Josephson <http://www.sdjournal.com/> Michael Josephson <http://www.sdjournal.com/>
Michael Manfre <mmanfre@gmail.com> Michael Manfre <mmanfre@gmail.com>

View File

@ -9,6 +9,7 @@ import binascii
import cgi import cgi
import collections import collections
import html import html
import os
from urllib.parse import unquote from urllib.parse import unquote
from django.conf import settings from django.conf import settings
@ -208,6 +209,7 @@ class MultiPartParser:
# This is a file, use the handler... # This is a file, use the handler...
file_name = disposition.get('filename') file_name = disposition.get('filename')
if file_name: if file_name:
file_name = os.path.basename(file_name)
file_name = force_str(file_name, encoding, errors='replace') file_name = force_str(file_name, encoding, errors='replace')
file_name = self.IE_sanitize(html.unescape(file_name)) file_name = self.IE_sanitize(html.unescape(file_name))
if not file_name: if not file_name:

View File

@ -209,10 +209,14 @@ class FileUploadTests(TestCase):
Receiving file upload when filename is blank (before and after Receiving file upload when filename is blank (before and after
sanitization) should be okay. sanitization) should be okay.
""" """
# The second value is normalized to an empty name by filenames = [
# MultiPartParser.IE_sanitize() '',
filenames = ['', 'C:\\Windows\\'] # Normalized by MultiPartParser.IE_sanitize().
'C:\\Windows\\',
# Normalized by os.path.basename().
'/',
'ends-with-slash/',
]
payload = client.FakePayload() payload = client.FakePayload()
for i, name in enumerate(filenames): for i, name in enumerate(filenames):
payload.write('\r\n'.join([ payload.write('\r\n'.join([