Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Directory traversal vulnerability Fix #32

merged 1 commit into from

3 participants


django-ajax-uploader have a vulnerability in the local backend when uploading a file, allowing a malicious user to upload to any directory within the ownership of the user running the webapp.
This fix closes that issue getting only a cleaned name ( so , things like '../../filename.jpg', will not work anymore)


Great addition and fix. Would you mind adding a test? This project isn't yet super-well tested, but I'd like to get it there.

Thanks for your help and contributions!


Got it , going to add some tests for this


Even though the tests stalled, this still seems like an improvement to me, so I'm merging in.

This will go out as 0.3.5 this afternoon - thanks for the help, and if you do want to add some tests in at some point, that'd be great!

@skoczen skoczen merged commit 65fc892 into skoczen:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
Showing with 1 addition and 0 deletions.
  1. +1 −0  ajaxuploader/backends/
1  ajaxuploader/backends/
@@ -32,6 +32,7 @@ def update_filename(self, request, filename, *args, **kwargs):
Ensure file with name doesn't exist, and if it does,
create a unique filename to avoid overwriting
+ filename = os.path.basename(filename)
self._dir = os.path.join(
settings.MEDIA_ROOT, self.UPLOAD_DIR)
unique_filename = False
Something went wrong with that request. Please try again.