diff --git a/storages/views.py b/storages/views.py index 0c48ab6..18a3d02 100644 --- a/storages/views.py +++ b/storages/views.py @@ -1,4 +1,5 @@ import json +import os from django.contrib import messages from django.http import HttpResponse, HttpResponseRedirect @@ -90,7 +91,10 @@ def storage(request, compute_id, pool): """ def handle_uploaded_file(path, f_name): - target = path + "/" + str(f_name) + target = os.path.normpath(os.path.join(path, f_name)) + if not target.startswith(path): + raise Exception("Security Issues with file uploading") + destination = open(target, "wb+") for chunk in f_name.chunks(): destination.write(chunk)