diff options
Diffstat (limited to 'django/http')
| -rw-r--r-- | django/http/multipartparser.py | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py index fd8fce8b4d..db1b5ce8b9 100644 --- a/django/http/multipartparser.py +++ b/django/http/multipartparser.py @@ -9,6 +9,7 @@ import binascii import cgi import collections import html +import os from urllib.parse import unquote from django.conf import settings @@ -209,7 +210,7 @@ class MultiPartParser: file_name = disposition.get('filename') if file_name: file_name = force_str(file_name, encoding, errors='replace') - file_name = self.IE_sanitize(html.unescape(file_name)) + file_name = self.sanitize_file_name(file_name) if not file_name: continue @@ -297,9 +298,13 @@ class MultiPartParser: self._files.appendlist(force_str(old_field_name, self._encoding, errors='replace'), file_obj) break - def IE_sanitize(self, filename): - """Cleanup filename from Internet Explorer full paths.""" - return filename and filename[filename.rfind("\\") + 1:].strip() + def sanitize_file_name(self, file_name): + file_name = html.unescape(file_name) + # Cleanup Windows-style path separators. + file_name = file_name[file_name.rfind('\\') + 1:].strip() + return os.path.basename(file_name) + + IE_sanitize = sanitize_file_name def _close_files(self): # Free up all file handles. |