Fixed #26325 -- Made MultiPartParser ignore filenames that normalize to an empty string.

author: John-Mark Bell <jmb@pexip.com> 2016-03-07 12:06:46 +0000
committer: Tim Graham <timograham@gmail.com> 2016-03-07 13:19:39 -0500
commit: 4b129ac81f4fa38004950d0b307f81d1e9b44af8 (patch)
tree: 702fd5f42b611a8cb0e4647434d9607a4f76f000 /tests/file_uploads
parent: 75614f6d4c1a3fe779a75eb3e787452cccd1d814 (diff)
download: django-4b129ac81f4fa38004950d0b307f81d1e9b44af8.tar.gz
1 files changed, 35 insertions, 0 deletions
diff --git a/tests/file_uploads/tests.py b/tests/file_uploads/tests.py
index 976707f4b4..66bae79e0e 100644
--- a/tests/file_uploads/tests.py
+++ b/tests/file_uploads/tests.py
@@ -179,6 +179,41 @@ class FileUploadTests(TestCase):
         response = self.client.request(**r)
         self.assertEqual(response.status_code, 200)
 
+    def test_blank_filenames(self):
+        """
+        Receiving file upload when filename is blank (before and after
+        sanitization) should be okay.
+        """
+        # The second value is normalized to an empty name by
+        # MultiPartParser.IE_sanitize()
+        filenames = ['', 'C:\\Windows\\']
+
+        payload = client.FakePayload()
+        for i, name in enumerate(filenames):
+            payload.write('\r\n'.join([
+                '--' + client.BOUNDARY,
+                'Content-Disposition: form-data; name="file%s"; filename="%s"' % (i, name),
+                'Content-Type: application/octet-stream',
+                '',
+                'You got pwnd.\r\n'
+            ]))
+        payload.write('\r\n--' + client.BOUNDARY + '--\r\n')
+
+        r = {
+            'CONTENT_LENGTH': len(payload),
+            'CONTENT_TYPE': client.MULTIPART_CONTENT,
+            'PATH_INFO': '/echo/',
+            'REQUEST_METHOD': 'POST',
+            'wsgi.input': payload,
+        }
+        response = self.client.request(**r)
+        self.assertEqual(response.status_code, 200)
+
+        # Empty filenames should be ignored
+        received = json.loads(response.content.decode('utf-8'))
+        for i, name in enumerate(filenames):
+            self.assertIsNone(received.get('file%s' % i))
+
     def test_dangerous_file_names(self):
         """Uploaded file names should be sanitized before ever reaching the view."""
         # This test simulates possible directory traversal attacks by a
author	John-Mark Bell <jmb@pexip.com>	2016-03-07 12:06:46 +0000
committer	Tim Graham <timograham@gmail.com>	2016-03-07 13:19:39 -0500
commit	4b129ac81f4fa38004950d0b307f81d1e9b44af8 (patch)
tree	702fd5f42b611a8cb0e4647434d9607a4f76f000 /tests/file_uploads
parent	75614f6d4c1a3fe779a75eb3e787452cccd1d814 (diff)
download	django-4b129ac81f4fa38004950d0b307f81d1e9b44af8.tar.gz