Commit Graph

10 Commits

Author SHA1 Message Date
Mariusz Felisiak 8d7271578d Fixed CVE-2020-24583, #31921 -- Fixed permissions on intermediate-level static and storage directories on Python 3.7+.
Thanks WhiteSage for the report.
2020-09-01 09:17:23 +02:00
Дилян Палаузов 6c0042430e Fixed #28776 -- Fixed a/an/and typos in docs and comments. 2017-11-06 22:41:03 -05:00
Andrew Nester 08ed3cc6d1 Fixed #26671 -- Made HashedFilesMixin ignore the 'chrome' scheme. 2016-07-12 08:20:39 -04:00
Claude Paroz edcecaf0de Fixed #19670 -- Applied CachedFilesMixin patterns to specific extensions
Thanks Simon Meers for the initial patch, and Tim Graham for the review.
2016-03-30 14:34:41 +02:00
Aymeric Augustin 7f6fbc906a Prevented static file corruption when URL fragment contains '..'.
When running collectstatic with a hashing static file storage backend,
URLs referencing other files were normalized with posixpath.normpath.
This could corrupt URLs: for example 'a.css#b/../c' became just 'c'.

Normalization seems to be an artifact of the historical implementation.
It contained a home-grown implementation of posixpath.join which relied
on counting occurrences of .. and /, so multiple / had to be collapsed.

The new implementation introduced in the previous commit doesn't suffer
from this issue. So it seems safe to remove the normalization.

There was a test for this normalization behavior but I don't think it's
a good test. Django shouldn't modify CSS that way. If a developer has
rendundant /s, it's mostly an aesthetic issue and it isn't Django's job
to fix it. Conversely, if the user wants a series of /s, perhaps in the
URL fragment, Django shouldn't destroy it.

Refs #26249.
2016-02-23 19:35:16 +01:00
Aymeric Augustin 706b33fef8 Fixed #26249 -- Fixed collectstatic crash for files in STATIC_ROOT referenced by absolute URL.
collectstatic crashed when:

* a hashing static file storage backend was used
* a static file referenced another static file located directly in
  STATIC_ROOT (not a subdirectory) with an absolute URL (which must
  start with STATIC_URL, which cannot be empty)

It seems to me that the current code reimplements relative path joining
and doesn't handle edge cases correctly. I suspect it assumes that
STATIC_URL is of the form r'/[^/]+/'.

Throwing out that code in favor of the posixpath module makes the logic
easier to follow. Handling absolute paths correctly also becomes easier.
2016-02-23 19:34:21 +01:00
msaelices 7624fdb9f8 Fixed #25283 -- Fixed collectstatic crash if a URL contains a fragment with a path.
A @font-face declaration may contain a fragment that looks like a relative path,
e.g. @font-face { src: url('../fonts/font.svg#../path/like/fragment'); }
In this case, an incorrect path was passed to the storage backend, which raised
an error that caused collectstatic to crash.
2015-11-12 19:30:48 -05:00
Aymeric Augustin bd059e3f8c Removed workaround for SVN limitations.
In addition to simplifying the code, this reduces the number of writes.
2015-02-21 17:52:24 +01:00
Trey Hunner 6868643063 Added newlines to the ends of CSS, HTML, and JavaScript files missing them. 2014-08-12 19:22:09 -04:00
Florian Apolloner 89f40e3624 Merged regressiontests and modeltests into the test root. 2013-02-26 14:36:57 +01:00