Code

Opened 5 years ago

Closed 5 years ago

#10296 closed (duplicate)

Unescaped output from FileField.url

Reported by: masklinn Owned by: nobody
Component: File uploads/storage Version: 1.0
Severity: Keywords: filefield url escaping quote
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

FileField.url doesn't escape its output, resulting in validation errors if the URL contains spaces and breakages if it contains non-ascii characters or ?.

This is related to #5160 basically the same bug using the old FileField and the get_FOO_url method.

The patch attached fixes the issue, but is fairly hacky in that self.storage.url returns the complete url (including scheme and netloc) so : has to be ignored on top of /. It would be nice to use urllib.urlsplit and escape only the path, but that breaks in case there's a ? in the file path.

Attachments (1)

files.diff (791 bytes) - added by masklinn 5 years ago.

Download all attachments as: .zip

Change History (2)

Changed 5 years ago by masklinn

comment:1 Changed 5 years ago by jacob

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #5160

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.