Prevented static file corruption when URL fragment contains '..'.

When running collectstatic with a hashing static file storage backend, URLs referencing other files were normalized with posixpath.normpath. This could corrupt URLs: for example 'a.css#b/../c' became just 'c'. Normalization seems to be an artifact of the historical implementation. It contained a home-grown implementation of posixpath.join which relied on counting occurrences of .. and /, so multiple / had to be collapsed. The new implementation introduced in the previous commit doesn't suffer from this issue. So it seems safe to remove the normalization. There was a test for this normalization behavior but I don't think it's a good test. Django shouldn't modify CSS that way. If a developer has rendundant /s, it's mostly an aesthetic issue and it isn't Django's job to fix it. Conversely, if the user wants a series of /s, perhaps in the URL fragment, Django shouldn't destroy it. Refs #26249.
2025-10-26 07:06:08 +00:00 · 2016-02-23 10:51:54 +01:00
parent 706b33fef8
commit 7f6fbc906a
4 changed files with 3 additions and 25 deletions
--- a/django/contrib/staticfiles/storage.py
+++ b/django/contrib/staticfiles/storage.py
@@ -170,14 +170,6 @@ class HashedFilesMixin(object):
            if url.startswith('/') and not url.startswith(settings.STATIC_URL):
                return matched

-            # This is technically not useful and could be considered a bug:
-            # we're making changes to our user's code for no good reason.
-            # Removing it makes test_template_tag_denorm fail, though, and I'm
-            # working on another bug, so I'm going to leave it there for now.
-            # When someone complains that /foo/bar#a/../b gets changed to
-            # /foo/bar#b, just remove it, as well as test_template_tag_denorm.
-            url = posixpath.normpath(url)
-
            # Strip off the fragment so a path-like fragment won't interfere.
            url_path, fragment = urldefrag(url)