Context Navigation

← Previous Ticket
Next Ticket →

#27358 closed Cleanup/optimization (fixed)

Add a system check for FileField upload_to starting with a slash

Reported by:	Tim Graham	Owned by:	Henry Dang
Component:	Core (System checks)	Version:	1.10
Severity:	Normal	Keywords:
Cc:	olivier.tabone@…	Triage Stage:	Accepted
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	yes	UI/UX:	no

Description

A leading slash in upload_to seems to be a gotcha for some people new to Django (just came up in #django too).

The message could be something like "Remove the leading slash on upload_to as it should be a relative path."

Change History (9)

comment:1 by Frank, 8 years ago

Owner:	changed from nobody to Frank
Status:	new → assigned

comment:2 by Tim Graham, 8 years ago

Has patch:	set
Patch needs improvement:	set

PR with comments for improvement.

comment:3 by Olivier Tabone, 8 years ago

Cc:	olivier.tabone@… added

comment:4 by Henry Dang, 8 years ago

Owner:	changed from Frank to Henry Dang

comment:5 by Henry Dang, 8 years ago

Patch needs improvement:	unset

comment:6 by François Freitag, 8 years ago

Would it be interesting to check for known potentially dangerous filenames (1), such as ../index.html?

(1) https://www.owasp.org/index.php/Unrestricted_File_Upload#Other_Interesting_Test_Cases

comment:7 by Tim Graham, 8 years ago

François, I'm not sure how/if your idea is related to this ticket?

comment:8 by Tim Graham <timograham@…>, 8 years ago

Resolution:	→ fixed
Status:	assigned → closed

In 7cddd8a:

Fixed #27358 -- Added a system check to prevent FileField's upload_to from starting with a slash.

Thanks Frank Bijlsma for the initial patch.

comment:9 by Tim Graham <timograham@…>, 8 years ago

In e6262aaa:

Refs #27358 -- Removed invalid/unneeded FileField.upload_to in tests/docs.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues