Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Directory traversal vulnerability Fix #32

Merged
merged 1 commit into from

3 participants

@hschmitt

django-ajax-uploader have a vulnerability in the local backend when uploading a file, allowing a malicious user to upload to any directory within the ownership of the user running the webapp.
This fix closes that issue getting only a cleaned name ( so , things like '../../filename.jpg', will not work anymore)

@skoczen
Owner

Great addition and fix. Would you mind adding a test? This project isn't yet super-well tested, but I'd like to get it there.

Thanks for your help and contributions!

@hschmitt

Got it , going to add some tests for this

@skoczen
Owner

Even though the tests stalled, this still seems like an improvement to me, so I'm merging in.

This will go out as 0.3.5 this afternoon - thanks for the help, and if you do want to add some tests in at some point, that'd be great!

@skoczen skoczen merged commit 65fc892 into skoczen:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
Showing with 1 addition and 0 deletions.
  1. +1 −0  ajaxuploader/backends/local.py
View
1  ajaxuploader/backends/local.py
@@ -32,6 +32,7 @@ def update_filename(self, request, filename, *args, **kwargs):
Ensure file with name doesn't exist, and if it does,
create a unique filename to avoid overwriting
"""
+ filename = os.path.basename(filename)
self._dir = os.path.join(
settings.MEDIA_ROOT, self.UPLOAD_DIR)
unique_filename = False
Something went wrong with that request. Please try again.