[Django] #27358: Add a system check for FileField upload_to starting with a slash
Django
------------------------------------------------+------------------------
Reporter: Tim Graham | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Core (System checks) | Version: 1.10
Severity: Normal | Keywords:
Triage Stage: Accepted | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 1
UI/UX: 0 |
------------------------------------------------+------------------------
A leading slash in `upload_to` [http://www.pkshiu.com/loft/archive/2008/05
/django-tip-no-leading-slash-for-upload_to-for-filefield-and-imagefield
seems to be a gotcha] for some people new to Django (just came up in
#django too).
The message could be something like "Remove the leading slash on upload_to
as it should be a relative path."
--
Ticket URL: <https://code.djangoproject.com/ticket/27358>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Tim Graham | Owner: Frank
Type: Cleanup/optimization | Status: assigned
Component: Core (System checks) | Version: 1.10
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Frank):
* status: new => assigned
* owner: nobody => Frank
--
Ticket URL: <https://code.djangoproject.com/ticket/27358#comment:1>
Django
Reporter: Tim Graham | Owner: Frank
Type: Cleanup/optimization | Status: assigned
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Changes (by Tim Graham):
* needs_better_patch: 0 => 1
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/7442 PR] with comments for
improvement.
--
Ticket URL: <https://code.djangoproject.com/ticket/27358#comment:2>
Django
Reporter: Tim Graham | Owner: Frank
Type: Cleanup/optimization | Status: assigned
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Changes (by Olivier Tabone):
* cc: olivier.tabone@… (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/27358#comment:3>
Django
Reporter: Tim Graham | Owner: Henry
Type: | Dang
Cleanup/optimization | Status: assigned
Component: Core (System | Version: 1.10
checks) |
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Changes (by Henry Dang):
* owner: Frank => Henry Dang
--
Ticket URL: <https://code.djangoproject.com/ticket/27358#comment:4>
Django
Reporter: Tim Graham | Owner: Henry
Type: | Dang
Cleanup/optimization | Status: assigned
Component: Core (System | Version: 1.10
checks) |
Severity: Normal | Resolution:
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Henry Dang):
* needs_better_patch: 1 => 0
Comment:
[https://github.com/django/django/pull/7621 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/27358#comment:5>
Django
Reporter: Tim Graham | Owner: Henry
Type: | Dang
Cleanup/optimization | Status: assigned
Component: Core (System | Version: 1.10
checks) |
Severity: Normal | Resolution:
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Comment (by François Freitag):
Would it be interesting to check for known potentially dangerous filenames
[#point1 (1)], such as {{{../index.html}}}?
[=#point1 (1)]
https://www.owasp.org/index.php/Unrestricted_File_Upload#Other_Interesting_Test_Cases
--
Ticket URL: <https://code.djangoproject.com/ticket/27358#comment:6>
Django
Reporter: Tim Graham | Owner: Henry
Type: | Dang
Cleanup/optimization | Status: assigned
Component: Core (System | Version: 1.10
checks) |
Severity: Normal | Resolution:
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Comment (by Tim Graham):
François, I'm not sure how/if your idea is related to this ticket?
--
Ticket URL: <https://code.djangoproject.com/ticket/27358#comment:7>
Django
Reporter: Tim Graham | Owner: Henry
Type: | Dang
Component: Core (System | Version: 1.10
checks) |
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"7cddd8a02e60332c0d02f565c450b0eea0d88438" 7cddd8a]:
{{{
#!CommitTicketReference repository=""
revision="7cddd8a02e60332c0d02f565c450b0eea0d88438"
Fixed #27358 -- Added a system check to prevent FileField's upload_to from
starting with a slash.
Thanks Frank Bijlsma for the initial patch.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/27358#comment:8>
Django
Reporter: Tim Graham | Owner: Henry
Type: | Dang
Cleanup/optimization | Status: closed
Component: Core (System | Version: 1.10
checks) |
Severity: Normal | Resolution: fixed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"e6262aaaf8066f2de8aadcc9561941ae64478cef" e6262aaa]:
{{{
#!CommitTicketReference repository=""
revision="e6262aaaf8066f2de8aadcc9561941ae64478cef"
Refs #27358 -- Removed invalid/unneeded FileField.upload_to in tests/docs.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/27358#comment:9>