From 7f6fbc906a21e9f8db36e06ace2a9b687aa26130 Mon Sep 17 00:00:00 2001 From: Aymeric Augustin Date: Tue, 23 Feb 2016 10:51:54 +0100 Subject: Prevented static file corruption when URL fragment contains '..'. When running collectstatic with a hashing static file storage backend, URLs referencing other files were normalized with posixpath.normpath. This could corrupt URLs: for example 'a.css#b/../c' became just 'c'. Normalization seems to be an artifact of the historical implementation. It contained a home-grown implementation of posixpath.join which relied on counting occurrences of .. and /, so multiple / had to be collapsed. The new implementation introduced in the previous commit doesn't suffer from this issue. So it seems safe to remove the normalization. There was a test for this normalization behavior but I don't think it's a good test. Django shouldn't modify CSS that way. If a developer has rendundant /s, it's mostly an aesthetic issue and it isn't Django's job to fix it. Conversely, if the user wants a series of /s, perhaps in the URL fragment, Django shouldn't destroy it. Refs #26249. --- tests/staticfiles_tests/project/documents/cached/css/fragments.css | 2 +- tests/staticfiles_tests/project/documents/cached/denorm.css | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) delete mode 100644 tests/staticfiles_tests/project/documents/cached/denorm.css (limited to 'tests/staticfiles_tests/project/documents') diff --git a/tests/staticfiles_tests/project/documents/cached/css/fragments.css b/tests/staticfiles_tests/project/documents/cached/css/fragments.css index e6e7049465..533d7617aa 100644 --- a/tests/staticfiles_tests/project/documents/cached/css/fragments.css +++ b/tests/staticfiles_tests/project/documents/cached/css/fragments.css @@ -1,7 +1,7 @@ @font-face { src: url('fonts/font.eot?#iefix') format('embedded-opentype'), url('fonts/font.svg#webfontIyfZbseF') format('svg'); - url('fonts/font.svg#../path/to/fonts/font.svg') format('svg'); + url('fonts/font.svg#path/to/../../fonts/font.svg') format('svg'); url('data:font/woff;charset=utf-8;base64,d09GRgABAAAAADJoAA0AAAAAR2QAAQAAAAAAAAAAAAA'); } div { diff --git a/tests/staticfiles_tests/project/documents/cached/denorm.css b/tests/staticfiles_tests/project/documents/cached/denorm.css deleted file mode 100644 index d6567b00dd..0000000000 --- a/tests/staticfiles_tests/project/documents/cached/denorm.css +++ /dev/null @@ -1,4 +0,0 @@ -@import url("..//cached///styles.css"); -body { - background: #d3d6d8 url(img/relative.png ); -} -- cgit v1.3