Merge pull request #528 from liangliangyy/dev

路径修复
4 years ago · a8fecaef5b
parent 6bbfcb6f05 f43a90d037
commit a8fecaef5b
2 changed files with 6 additions and 4 deletions
--- a/bin/docker_start.sh
+++ b/bin/docker_start.sh
@ -1,6 +1,6 @@
-#!/bin/bash
+#!/usr/bin/env bash
 NAME="djangoblog" # Name of the application
-DJANGODIR=/code/DjangoBlog # Django project directory
+DJANGODIR=/code/djangoBlog # Django project directory
 USER=root # the user to run as
 GROUP=root # the group to run as
 NUM_WORKERS=1 # how many worker processes should Gunicorn spawn
--- a/blog/views.py
+++ b/blog/views.py
@ -14,9 +14,9 @@ from django.views.decorators.csrf import csrf_exempt
 from django.views.generic.detail import DetailView
 from django.views.generic.list import ListView

-from djangoblog.utils import cache, get_sha256, get_blog_setting
 from blog.models import Article, Category, Tag, Links, LinkShowType
 from comments.forms import CommentForm
+from djangoblog.utils import cache, get_sha256, get_blog_setting

 logger = logging.getLogger(__name__)

@ -296,7 +296,9 @@ def fileupload(request):
                type='files' if not isimage else 'image', timestr=timestr, filename=filename)
            if not os.path.exists(basepath):
                os.makedirs(basepath)
-            savepath = os.path.join(basepath, f"{uuid.uuid4().hex}{os.path.splitext(filename)[-1]}")
+            savepath = os.path.normpath(os.path.join(basepath, f"{uuid.uuid4().hex}{os.path.splitext(filename)[-1]}"))
+            if not savepath.startswith(basepath):
+                return HttpResponse("only for post")
            with open(savepath, 'wb+') as wfile:
                for chunk in request.FILES[filename].chunks():
                    wfile.write(chunk)