Fixed #4952 -- Fixed the `get_template_sources` functions of the `app_directories` and `filesystem` template loaders to not return paths outside of given template directories. Both functions now make use of a new `safe_join` utility function. Thanks to SmileyChris for help with the patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@5750 bcc190cf-cafb-0310-a4f2-bffc1f526a37

1 files changed, 23 insertions, 0 deletions

diff --git a/django/utils/_os.py b/django/utils/_os.py
new file mode 100644
index 0000000000..f7114af291
--- /dev/null
+++ b/django/utils/_os.py
@@ -0,0 +1,23 @@
+from os.path import join, normcase, abspath, sep

+

+def safe_join(base, *paths):

+    """

+    Join one or more path components to the base path component intelligently.

+    Return a normalized, absolute version of the final path.

+

+    The final path must be located inside of the base path component (otherwise

+    a ValueError is raised).

+    """

+    # We need to use normcase to ensure we don't false-negative on case

+    # insensitive operating systems (like Windows).

+    final_path = normcase(abspath(join(base, *paths)))

+    base_path = normcase(abspath(base))

+    base_path_len = len(base_path)

+    # Ensure final_path starts with base_path and that the next character after

+    # the final path is os.sep (or nothing, in which case final_path must be

+    # equal to base_path).

+    if not final_path.startswith(base_path) \

+       or final_path[base_path_len:base_path_len+1] not in ('', sep):

+        raise ValueError('the joined path is located outside of the base path'

+                         ' component')

+    return final_path