I think you tried to do too much without really looking at why safe join was failing. It was failing because the base path ending in '/' caused the final comparison to be incorrect.
Try something like this:
defsafe_join(base,*paths):""" A version of django.utils._os.safe_join for S3 paths. Joins one or more path components to the base path component intelligently. Returns a normalized version of the final path. The final path must be located inside of the base path component (otherwise a ValueError is raised). Paths outside the base path indicate a possible security sensitive operation. """fromurlparseimporturljoinbase_path=force_unicode(base)base_path=base_path.rstrip('/')paths=[force_unicode(p)forpinpaths]final_path=urljoin(base_path+"/",*paths)# Ensure final_path starts with base_path and that the next character after# the final path is '/' (or nothing, in which case final_path must be# equal to base_path).base_path_len=len(base_path)ifnotfinal_path.startswith(base_path) \
orfinal_path[base_path_len:base_path_len+1]notin('','/'):raiseValueError('the joined path is located outside of the base path'' component')returnfinal_path
I just stripped the '/' characters from the left of the base_path.