diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-05-13 08:53:44 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-05-13 09:00:25 +0200 |
| commit | b8ecb0643619a0650a4447b282478ce5257856e2 (patch) | |
| tree | 6e6eb7428236c2084ea6614d84364285ab8de344 /django/db/models/fields/files.py | |
| parent | 3ba089ac7e5720a363d01499451bcfa8c74a56d9 (diff) | |
[2.2.x] Fixed #32718 -- Relaxed file name validation in FileField.
- Validate filename returned by FileField.upload_to() not a filename
passed to the FileField.generate_filename() (upload_to() may
completely ignored passed filename).
- Allow relative paths (without dot segments) in the generated filename.
Thanks to Jakub Kleň for the report and review.
Thanks to all folks for checking this patch on existing projects.
Thanks Florian Apolloner and Markus Holtermann for the discussion and
implementation idea.
Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3.
Backport of b55699968fc9ee985384c64e37f6cc74a0a23683 from main.
Diffstat (limited to 'django/db/models/fields/files.py')
| -rw-r--r-- | django/db/models/fields/files.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/django/db/models/fields/files.py b/django/db/models/fields/files.py index d53bd42bee..0f8c3fe484 100644 --- a/django/db/models/fields/files.py +++ b/django/db/models/fields/files.py @@ -300,12 +300,12 @@ class FileField(Field): Until the storage layer, all file paths are expected to be Unix style (with forward slashes). """ - filename = validate_file_name(filename) if callable(self.upload_to): filename = self.upload_to(instance, filename) else: dirname = datetime.datetime.now().strftime(self.upload_to) filename = posixpath.join(dirname, filename) + filename = validate_file_name(filename, allow_relative_path=True) return self.storage.generate_filename(filename) def save_form_data(self, instance, data): |