mirror of
				https://github.com/django/django.git
				synced 2025-10-24 22:26:08 +00:00 
			
		
		
		
	Fixed #15181 -- Ensure that special characters are escaped when querying for the URL of an uploaded file. Thanks to e.generalov for the report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15409 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
		| @@ -8,7 +8,7 @@ from django.conf import settings | |||||||
| from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation | from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation | ||||||
| from django.core.files import locks, File | from django.core.files import locks, File | ||||||
| from django.core.files.move import file_move_safe | from django.core.files.move import file_move_safe | ||||||
| from django.utils.encoding import force_unicode | from django.utils.encoding import force_unicode, filepath_to_uri | ||||||
| from django.utils.functional import LazyObject | from django.utils.functional import LazyObject | ||||||
| from django.utils.importlib import import_module | from django.utils.importlib import import_module | ||||||
| from django.utils.text import get_valid_filename | from django.utils.text import get_valid_filename | ||||||
| @@ -240,7 +240,7 @@ class FileSystemStorage(Storage): | |||||||
|     def url(self, name): |     def url(self, name): | ||||||
|         if self.base_url is None: |         if self.base_url is None: | ||||||
|             raise ValueError("This file is not accessible via a URL.") |             raise ValueError("This file is not accessible via a URL.") | ||||||
|         return urlparse.urljoin(self.base_url, name).replace('\\', '/') |         return urlparse.urljoin(self.base_url, filepath_to_uri(name)) | ||||||
|  |  | ||||||
|     def accessed_time(self, name): |     def accessed_time(self, name): | ||||||
|         return datetime.fromtimestamp(os.path.getatime(self.path(name))) |         return datetime.fromtimestamp(os.path.getatime(self.path(name))) | ||||||
|   | |||||||
| @@ -156,6 +156,24 @@ def iri_to_uri(iri): | |||||||
|         return iri |         return iri | ||||||
|     return urllib.quote(smart_str(iri), safe="/#%[]=:;$&()+,!?*@'~") |     return urllib.quote(smart_str(iri), safe="/#%[]=:;$&()+,!?*@'~") | ||||||
|  |  | ||||||
|  | def filepath_to_uri(path): | ||||||
|  |     """Convert an file system path to a URI portion that is suitable for | ||||||
|  |     inclusion in a URL. | ||||||
|  |  | ||||||
|  |     We are assuming input is either UTF-8 or unicode already. | ||||||
|  |  | ||||||
|  |     This method will encode certain chars that would normally be recognized as | ||||||
|  |     special chars for URIs.  Note that this method does not encode the ' | ||||||
|  |     character, as it is a valid character within URIs.  See | ||||||
|  |     encodeURIComponent() JavaScript function for more details. | ||||||
|  |  | ||||||
|  |     Returns an ASCII string containing the encoded result. | ||||||
|  |     """ | ||||||
|  |     if path is None: | ||||||
|  |         return path | ||||||
|  |     # I know about `os.sep` and `os.altsep` but I want to leave | ||||||
|  |     # some flexibility for hardcoding separators. | ||||||
|  |     return urllib.quote(smart_str(path).replace("\\", "/"), safe="/~!*()'") | ||||||
|  |  | ||||||
| # The encoding of the default system locale but falls back to the | # The encoding of the default system locale but falls back to the | ||||||
| # given fallback encoding if the encoding is unsupported by python or could | # given fallback encoding if the encoding is unsupported by python or could | ||||||
|   | |||||||
| @@ -204,6 +204,15 @@ class FileStorageTests(unittest.TestCase): | |||||||
|         self.assertEqual(self.storage.url('test.file'), |         self.assertEqual(self.storage.url('test.file'), | ||||||
|             '%s%s' % (self.storage.base_url, 'test.file')) |             '%s%s' % (self.storage.base_url, 'test.file')) | ||||||
|  |  | ||||||
|  |         # should encode special chars except ~!*()' | ||||||
|  |         # like encodeURIComponent() JavaScript function do | ||||||
|  |         self.assertEqual(self.storage.url(r"""~!*()'@#$%^&*abc`+=.file"""), | ||||||
|  |             """/test_media_url/~!*()'%40%23%24%25%5E%26*abc%60%2B%3D.file""") | ||||||
|  |  | ||||||
|  |         # should stanslate os path separator(s) to the url path separator | ||||||
|  |         self.assertEqual(self.storage.url("""a/b\\c.file"""), | ||||||
|  |             """/test_media_url/a/b/c.file""") | ||||||
|  |  | ||||||
|         self.storage.base_url = None |         self.storage.base_url = None | ||||||
|         self.assertRaises(ValueError, self.storage.url, 'test.file') |         self.assertRaises(ValueError, self.storage.url, 'test.file') | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user