Uploading a file ending with a backslash fails
|Reported by:||Peter Kuma||Owned by:|
|Cc:||nuno@…, supersteve9219||Triage Stage:||Accepted|
|Has patch:||yes||Needs documentation:||yes|
|Needs tests:||no||Patch needs improvement:||yes|
When uploading a file, the filename as supplied in
Content-Disposition filename parameter is sanitized by:
def IE_sanitize(self, filename): """Cleanup filename from Internet Explorer full paths.""" return filename and filename[filename.rfind("\\")+1:].strip()
multipartparser.py. If the filename contains a backslash, only the part following the backslash is retained. Because backslash is a valid character in unix file names, this behavior is not consistent with the expectations of a unix user.
More importantly, uploading a file ending with a backslash results in
AttributeError. Consider the following section of
file_name = disposition.get('filename') if not file_name: continue file_name = force_unicode(file_name, encoding, errors='replace') file_name = self.IE_sanitize(unescape_entities(file_name))
If the filename parameter is empty, the file is ignored. However, if file_name is empty as a result of
IE_sanitize stripping away the part before the last backslash character, the processing continues, and later fails with:
Exception Value: '
TemporaryFileUploadHandler' object has no attribute 'file'
Exception Location: /usr/lib/python2.6/site-packages/django/core/files/uploadhandler.py in file_complete, line 141
140. def file_complete(self, file_size): 141. self.file.seek(0)
One way of resolving this issue might be by making
IE_sanitize less invasive, for example by making it effective only if filename begins with
Change History (16)
comment:2 Changed 4 years ago by
|Owner:||changed from nobody to supersteve9219|
|Status:||new → assigned|