Fixed #28132 -- Made MultiPartParser ignore filenames with trailing slash.

author: Michael Brown <michael@msbrown.net> 2020-06-08 12:55:27 -0400
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2020-06-11 08:46:59 +0200
commit: 36db4dd937ae11c5b687c5d2e5fa3c27e4140001 (patch)
tree: 9ee9d7e78f1528f75d7b79c935d845122f6dd36f /django/http/multipartparser.py
parent: 678c8dfee458cda77fce0d1c127f1939dc134584 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py
index 33d8814241..b3472f7be2 100644
--- a/django/http/multipartparser.py
+++ b/django/http/multipartparser.py
@@ -9,6 +9,7 @@ import binascii
 import cgi
 import collections
 import html
+import os
 from urllib.parse import unquote
 
 from django.conf import settings
@@ -208,6 +209,7 @@ class MultiPartParser:
                     # This is a file, use the handler...
                     file_name = disposition.get('filename')
                     if file_name:
+                        file_name = os.path.basename(file_name)
                         file_name = force_str(file_name, encoding, errors='replace')
                         file_name = self.IE_sanitize(html.unescape(file_name))
                     if not file_name:
author	Michael Brown <michael@msbrown.net>	2020-06-08 12:55:27 -0400
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2020-06-11 08:46:59 +0200
commit	36db4dd937ae11c5b687c5d2e5fa3c27e4140001 (patch)
tree	9ee9d7e78f1528f75d7b79c935d845122f6dd36f /django/http/multipartparser.py
parent	678c8dfee458cda77fce0d1c127f1939dc134584 (diff)