The message could be something like "Remove the leading slash on upload_to
as it should be a relative path."
--
Ticket URL: <https://code.djangoproject.com/ticket/27358>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
* status: new => assigned
* owner: nobody => Frank
--
Ticket URL: <https://code.djangoproject.com/ticket/27358#comment:1>
* needs_better_patch: 0 => 1
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/7442 PR] with comments for
improvement.
--
Ticket URL: <https://code.djangoproject.com/ticket/27358#comment:2>
* cc: olivier.tabone@… (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/27358#comment:3>
* owner: Frank => Henry Dang
--
Ticket URL: <https://code.djangoproject.com/ticket/27358#comment:4>
* needs_better_patch: 1 => 0
Comment:
[https://github.com/django/django/pull/7621 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/27358#comment:5>
Comment (by François Freitag):
Would it be interesting to check for known potentially dangerous filenames
[#point1 (1)], such as {{{../index.html}}}?
[=#point1 (1)]
https://www.owasp.org/index.php/Unrestricted_File_Upload#Other_Interesting_Test_Cases
--
Ticket URL: <https://code.djangoproject.com/ticket/27358#comment:6>
Comment (by Tim Graham):
François, I'm not sure how/if your idea is related to this ticket?
--
Ticket URL: <https://code.djangoproject.com/ticket/27358#comment:7>
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"7cddd8a02e60332c0d02f565c450b0eea0d88438" 7cddd8a]:
{{{
#!CommitTicketReference repository=""
revision="7cddd8a02e60332c0d02f565c450b0eea0d88438"
Fixed #27358 -- Added a system check to prevent FileField's upload_to from
starting with a slash.
Thanks Frank Bijlsma for the initial patch.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/27358#comment:8>
Comment (by Tim Graham <timograham@…>):
In [changeset:"e6262aaaf8066f2de8aadcc9561941ae64478cef" e6262aaa]:
{{{
#!CommitTicketReference repository=""
revision="e6262aaaf8066f2de8aadcc9561941ae64478cef"
Refs #27358 -- Removed invalid/unneeded FileField.upload_to in tests/docs.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/27358#comment:9>