Directory traversal vulnerability Fix #32

Merged
merged 1 commit into from Mar 8, 2014

Conversation

Projects
None yet
3 participants
@hschmitt

django-ajax-uploader have a vulnerability in the local backend when uploading a file, allowing a malicious user to upload to any directory within the ownership of the user running the webapp.
This fix closes that issue getting only a cleaned name ( so , things like '../../filename.jpg', will not work anymore)

@skoczen

This comment has been minimized.

Show comment Hide comment
@skoczen

skoczen Nov 14, 2012

Owner

Great addition and fix. Would you mind adding a test? This project isn't yet super-well tested, but I'd like to get it there.

Thanks for your help and contributions!

Owner

skoczen commented Nov 14, 2012

Great addition and fix. Would you mind adding a test? This project isn't yet super-well tested, but I'd like to get it there.

Thanks for your help and contributions!

@hschmitt

This comment has been minimized.

Show comment Hide comment
@hschmitt

hschmitt Nov 14, 2012

Got it , going to add some tests for this

Got it , going to add some tests for this

@skoczen

This comment has been minimized.

Show comment Hide comment
@skoczen

skoczen Mar 8, 2014

Owner

Even though the tests stalled, this still seems like an improvement to me, so I'm merging in.

This will go out as 0.3.5 this afternoon - thanks for the help, and if you do want to add some tests in at some point, that'd be great!

Owner

skoczen commented Mar 8, 2014

Even though the tests stalled, this still seems like an improvement to me, so I'm merging in.

This will go out as 0.3.5 this afternoon - thanks for the help, and if you do want to add some tests in at some point, that'd be great!

skoczen added a commit that referenced this pull request Mar 8, 2014

Merge pull request #32 from hschmitt/master
Directory traversal vulnerability Fix

@skoczen skoczen merged commit 65fc892 into skoczen:master Mar 8, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment