fileupload: handle dot components in MEDIA_ROOT path correctly

author Aleksander Łukasz <aleksander.lukasz@nowoczesnapolska.org.pl>

Thu, 19 Dec 2013 09:50:37 +0000 (10:50 +0100)

committer Aleksander Łukasz <aleksander.lukasz@nowoczesnapolska.org.pl>

Tue, 12 Aug 2014 09:47:11 +0000 (11:47 +0200)
author Aleksander Łukasz <aleksander.lukasz@nowoczesnapolska.org.pl>
Thu, 19 Dec 2013 09:50:37 +0000 (10:50 +0100)
committer Aleksander Łukasz <aleksander.lukasz@nowoczesnapolska.org.pl>
Tue, 12 Aug 2014 09:47:11 +0000 (11:47 +0200)
diff --git a/apps/fileupload/views.py b/apps/fileupload/views.py

index d08bfd3..ab719a1 100644 (file)
--- a/apps/fileupload/views.py
+++ b/apps/fileupload/views.py
@@ -78,7 +78,7 @@ class UploadView(FormView):
                  settings.MEDIA_ROOT,
                  self.get_directory(),
                  filename))
-        if not path.startswith(settings.MEDIA_ROOT):
+        if not path.startswith(os.path.abspath(settings.MEDIA_ROOT)):
              raise Http404
          if filename:
              if not path.startswith(self.get_safe_path()):
author	Aleksander Łukasz <aleksander.lukasz@nowoczesnapolska.org.pl>
	Thu, 19 Dec 2013 09:50:37 +0000 (10:50 +0100)
committer	Aleksander Łukasz <aleksander.lukasz@nowoczesnapolska.org.pl>
	Tue, 12 Aug 2014 09:47:11 +0000 (11:47 +0200)