StaticFilesStorage permits leading slash, CachedStaticFilesStorage doesn't

[Seán Hayes]

I got the following email from our staging server:

The joined path (/images/no-image.jpg) is located outside of the base path component (/full-path/collected-static)

Someone was using the following template tag:

{% static "/images/no-image.jpg" as no_image_url %}

I checked to see why our tests didn't raise the same error, and it turns out it only happens with CachedStaticFilesStorage (and likely the other manifest storages), StaticFilesStorage and FileSystemStorage seem to just ignore this error.

Since CachedStaticFilesStorage shouldn't be used during testing, I think the parent classes should raise the same error.

[Tim Graham]

As a note to anyone tackling this, it only happens with DEBUG = False.

[David Sanders]

If no one knows of a legitimate use case for absolute paths being passed to the static templatetag, it seems like this could be fixed fairly easily by raising a ValueError in the StaticFileStorage url method if the path has a leading slash.

However, while we're on the topic there are some other inconsistencies such as for CachedFileStorage leading spaces (but no initial slash) in DEBUG returns the path with a leading space, where as not in DEBUG chomps the leading space. For StaticFileStorage the leading space is always URL encoded.

Seems like a general 'clean_url' method for StaticFileStorage would be useful, that strips spaces and raises a ValueError for a leading slash.