id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
30745	Allow serving a default file for FileField from static URL.	bhch	nobody	"Prior to version 1.9, it was possible to serve a default file for a `FileFIeld` from an absolute url just by setting the `default` value on the field like:

{{{
ImageField(default='/static/placeholder.png' ...)
}}}


But due to the security concerns raised in #25905, the commit [changeset:""fdf5cd3429369954e8deb764d9f30f6374581613"" fdf5cd34] strips off all the leading slashes thereby making the path relative to which `urljoin` later prepends a base url. This removes the possibility of serving a default file from the static url.

I think a better solution would be to remove more than 1 leading slashes, but not one.

Current implementation: `url.lstrip('/')`. 

Proposed: `re.sub(r'/{2,}', '/', url)` or `re.sub(r'/{2,}', '', url)`.

This will keep the absolute urls as intended and also convert external urls to internal."	New feature	closed	File uploads/storage	2.2	Normal	needsinfo			Unreviewed	0	0	0	0	0	0