Commits

Alan Justino committed f51b080

Tryed to guard against writing outside AWS_LOCATION

Comments (0)

Files changed (1)

storages/backends/s3boto.py

     base_path += "/" if not base_path.endswith("/") else ""
     paths = map(lambda p: force_unicode(p), paths)
     final_path = urljoin(base_path, *paths)
-    # Ensure final_path starts with base_path and that the next character after
-    # the base path is not '.'
+    # Ensure final_path starts with base_path and that the path after if does
+    # not try to go up using '/../' constructions
     base_path_len = len(base_path)
     if not (final_path.startswith(base_path) and
-            final_path[base_path_len:base_path_len+1] != '.'):
+            '../' not in final_path[base_path_len:]):
         raise ValueError('the joined path is located outside of the base path'
                          ' component')
     return final_path
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.