Fixed #4952 -- Fixed the get_template_sources functions of the app_directories and filesystem template loaders to not return paths outside of given template directories. Both functions now make use of a new safe_join utility function. Thanks to SmileyChris for help with the patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@5750 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-10-29 16:46:11 +00:00 · 2007-07-23 04:45:01 +00:00
parent 7a16a1d81a
commit 304381616f
4 changed files with 93 additions and 9 deletions
--- a/django/utils/_os.py
+++ b/django/utils/_os.py
@@ -0,0 +1,23 @@
+from os.path import join, normcase, abspath, sep
+
+def safe_join(base, *paths):
+    """
+    Join one or more path components to the base path component intelligently.
+    Return a normalized, absolute version of the final path.
+
+    The final path must be located inside of the base path component (otherwise
+    a ValueError is raised).
+    """
+    # We need to use normcase to ensure we don't false-negative on case
+    # insensitive operating systems (like Windows).
+    final_path = normcase(abspath(join(base, *paths)))
+    base_path = normcase(abspath(base))
+    base_path_len = len(base_path)
+    # Ensure final_path starts with base_path and that the next character after
+    # the final path is os.sep (or nothing, in which case final_path must be
+    # equal to base_path).
+    if not final_path.startswith(base_path) \
+       or final_path[base_path_len:base_path_len+1] not in ('', sep):
+        raise ValueError('the joined path is located outside of the base path'
+                         ' component')
+    return final_path