Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Browse files

[1.2.X] Fixed #15181 -- Ensure that special characters are escaped wh…

…en querying for the URL of an uploaded file. Thanks to e.generalov for the report and patch.

Backport of r15409 from trunk.

git-svn-id: bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 6ba0f324e4fe787f065f79524c481063617377eb 1 parent 46b1fda
@freakboy3742 freakboy3742 authored
4 django/core/files/
@@ -7,7 +7,7 @@
from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation
from django.core.files import locks, File
from django.core.files.move import file_move_safe
-from django.utils.encoding import force_unicode
+from django.utils.encoding import force_unicode, filepath_to_uri
from django.utils.functional import LazyObject
from django.utils.importlib import import_module
from django.utils.text import get_valid_filename
@@ -218,7 +218,7 @@ def size(self, name):
def url(self, name):
if self.base_url is None:
raise ValueError("This file is not accessible via a URL.")
- return urlparse.urljoin(self.base_url, name).replace('\\', '/')
+ return urlparse.urljoin(self.base_url, filepath_to_uri(name))
def get_storage_class(import_path=None):
if import_path is None:
18 django/utils/
@@ -151,6 +151,24 @@ def iri_to_uri(iri):
return iri
return urllib.quote(smart_str(iri), safe="/#%[]=:;$&()+,!?*@'~")
+def filepath_to_uri(path):
+ """Convert an file system path to a URI portion that is suitable for
+ inclusion in a URL.
+ We are assuming input is either UTF-8 or unicode already.
+ This method will encode certain chars that would normally be recognized as
+ special chars for URIs. Note that this method does not encode the '
+ character, as it is a valid character within URIs. See
+ encodeURIComponent() JavaScript function for more details.
+ Returns an ASCII string containing the encoded result.
+ """
+ if path is None:
+ return path
+ # I know about `os.sep` and `os.altsep` but I want to leave
+ # some flexibility for hardcoding separators.
+ return urllib.quote(smart_str(path).replace("\\", "/"), safe="/~!*()'")
# The encoding of the default system locale but falls back to the
# given fallback encoding if the encoding is unsupported by python or could
9 tests/regressiontests/file_storage/
@@ -147,6 +147,15 @@ def test_file_url(self):
'%s%s' % (, 'test.file'))
+ # should encode special chars except ~!*()'
+ # like encodeURIComponent() JavaScript function do
+ self.assertEqual("""~!*()'@#$%^&*abc`+=.file"""),
+ """/test_media_url/~!*()'%40%23%24%25%5E%26*abc%60%2B%3D.file""")
+ # should stanslate os path separator(s) to the url path separator
+ self.assertEqual("""a/b\\c.file"""),
+ """/test_media_url/a/b/c.file""")
+ = None
self.assertRaises(ValueError,, 'test.file')

0 comments on commit 6ba0f32

Please sign in to comment.
Something went wrong with that request. Please try again.