Commits

Alan Justino committed baf0c2d

Lean version of safe_join by Ian Lewis

Comments (0)

Files changed (1)

storages/backends/s3boto.py

     """
     from urlparse import urljoin
     base_path = force_unicode(base)
-    base_path += "/" if not base_path.endswith("/") else ""
-    paths = map(lambda p: force_unicode(p), paths)
-    final_path = urljoin(base_path, *paths)
-    # Ensure final_path starts with base_path and that the path after if does
-    # not try to go up using '/../' constructions
+    base_path = base_path.rstrip('/')
+    paths = [force_unicode(p) for p in paths]
+    final_path = urljoin(base_path + "/", *paths)
+    # Ensure final_path starts with base_path and that the next character after
+    # the final path is '/' (or nothing, in which case final_path must be
+    # equal to base_path).
     base_path_len = len(base_path)
-    if not (final_path.startswith(base_path) and
-            '../' not in final_path[base_path_len:]):
+    if not final_path.startswith(base_path) \
+       or final_path[base_path_len:base_path_len+1] not in ('', '/'):
         raise ValueError('the joined path is located outside of the base path'
                          ' component')
     return final_path