From f43a90d0379d96e172c3e6d5ca9b95739a0e23f3 Mon Sep 17 00:00:00 2001 From: liangliangyy Date: Wed, 15 Dec 2021 11:33:54 +0800 Subject: [PATCH] =?UTF-8?q?=E8=B7=AF=E5=BE=84=E4=BF=AE=E5=A4=8D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bin/docker_start.sh | 4 ++-- blog/views.py | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/bin/docker_start.sh b/bin/docker_start.sh index b5b2eb2..911bbee 100644 --- a/bin/docker_start.sh +++ b/bin/docker_start.sh @@ -1,6 +1,6 @@ -#!/bin/bash +#!/usr/bin/env bash NAME="djangoblog" # Name of the application -DJANGODIR=/code/DjangoBlog # Django project directory +DJANGODIR=/code/djangoBlog # Django project directory USER=root # the user to run as GROUP=root # the group to run as NUM_WORKERS=1 # how many worker processes should Gunicorn spawn diff --git a/blog/views.py b/blog/views.py index 38e7327..710dbbf 100644 --- a/blog/views.py +++ b/blog/views.py @@ -14,9 +14,9 @@ from django.views.decorators.csrf import csrf_exempt from django.views.generic.detail import DetailView from django.views.generic.list import ListView -from djangoblog.utils import cache, get_sha256, get_blog_setting from blog.models import Article, Category, Tag, Links, LinkShowType from comments.forms import CommentForm +from djangoblog.utils import cache, get_sha256, get_blog_setting logger = logging.getLogger(__name__) @@ -296,7 +296,9 @@ def fileupload(request): type='files' if not isimage else 'image', timestr=timestr, filename=filename) if not os.path.exists(basepath): os.makedirs(basepath) - savepath = os.path.join(basepath, f"{uuid.uuid4().hex}{os.path.splitext(filename)[-1]}") + savepath = os.path.normpath(os.path.join(basepath, f"{uuid.uuid4().hex}{os.path.splitext(filename)[-1]}")) + if not savepath.startswith(basepath): + return HttpResponse("only for post") with open(savepath, 'wb+') as wfile: for chunk in request.FILES[filename].chunks(): wfile.write(chunk)