Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

[1.2.X] Fixed #15181 -- Ensure that special characters are escaped wh…

…en querying for the URL of an uploaded file. Thanks to e.generalov for the report and patch.

Backport of r15409 from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@15410 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 6ba0f324e4fe787f065f79524c481063617377eb 1 parent 46b1fda
@freakboy3742 freakboy3742 authored
View
4 django/core/files/storage.py
@@ -7,7 +7,7 @@
from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation
from django.core.files import locks, File
from django.core.files.move import file_move_safe
-from django.utils.encoding import force_unicode
+from django.utils.encoding import force_unicode, filepath_to_uri
from django.utils.functional import LazyObject
from django.utils.importlib import import_module
from django.utils.text import get_valid_filename
@@ -218,7 +218,7 @@ def size(self, name):
def url(self, name):
if self.base_url is None:
raise ValueError("This file is not accessible via a URL.")
- return urlparse.urljoin(self.base_url, name).replace('\\', '/')
+ return urlparse.urljoin(self.base_url, filepath_to_uri(name))
def get_storage_class(import_path=None):
if import_path is None:
View
18 django/utils/encoding.py
@@ -151,6 +151,24 @@ def iri_to_uri(iri):
return iri
return urllib.quote(smart_str(iri), safe="/#%[]=:;$&()+,!?*@'~")
+def filepath_to_uri(path):
+ """Convert an file system path to a URI portion that is suitable for
+ inclusion in a URL.
+
+ We are assuming input is either UTF-8 or unicode already.
+
+ This method will encode certain chars that would normally be recognized as
+ special chars for URIs. Note that this method does not encode the '
+ character, as it is a valid character within URIs. See
+ encodeURIComponent() JavaScript function for more details.
+
+ Returns an ASCII string containing the encoded result.
+ """
+ if path is None:
+ return path
+ # I know about `os.sep` and `os.altsep` but I want to leave
+ # some flexibility for hardcoding separators.
+ return urllib.quote(smart_str(path).replace("\\", "/"), safe="/~!*()'")
# The encoding of the default system locale but falls back to the
# given fallback encoding if the encoding is unsupported by python or could
View
9 tests/regressiontests/file_storage/tests.py
@@ -147,6 +147,15 @@ def test_file_url(self):
self.assertEqual(self.storage.url('test.file'),
'%s%s' % (self.storage.base_url, 'test.file'))
+ # should encode special chars except ~!*()'
+ # like encodeURIComponent() JavaScript function do
+ self.assertEqual(self.storage.url(r"""~!*()'@#$%^&*abc`+=.file"""),
+ """/test_media_url/~!*()'%40%23%24%25%5E%26*abc%60%2B%3D.file""")
+
+ # should stanslate os path separator(s) to the url path separator
+ self.assertEqual(self.storage.url("""a/b\\c.file"""),
+ """/test_media_url/a/b/c.file""")
+
self.storage.base_url = None
self.assertRaises(ValueError, self.storage.url, 'test.file')
Please sign in to comment.
Something went wrong with that request. Please try again.