路径修复

liangliangyy · liangliangyy · commit f43a90d0379d · 2021-12-15T11:33:54.000+08:00
diff --git a/bin/docker_start.sh b/bin/docker_start.sh
@@ -1,6 +1,6 @@
-#!/bin/bash
+#!/usr/bin/env bash
 NAME="djangoblog" # Name of the application
-DJANGODIR=/code/DjangoBlog # Django project directory
+DJANGODIR=/code/djangoBlog # Django project directory
 USER=root # the user to run as
 GROUP=root # the group to run as
 NUM_WORKERS=1 # how many worker processes should Gunicorn spawn
diff --git a/blog/views.py b/blog/views.py
@@ -14,9 +14,9 @@
 from django.views.generic.detail import DetailView
 from django.views.generic.list import ListView
 
-from djangoblog.utils import cache, get_sha256, get_blog_setting
 from blog.models import Article, Category, Tag, Links, LinkShowType
 from comments.forms import CommentForm
+from djangoblog.utils import cache, get_sha256, get_blog_setting
 
 logger = logging.getLogger(__name__)
 
@@ -296,7 +296,9 @@ def fileupload(request):
                 type='files' if not isimage else 'image', timestr=timestr, filename=filename)
             if not os.path.exists(basepath):
                 os.makedirs(basepath)
-            savepath = os.path.join(basepath, f"{uuid.uuid4().hex}{os.path.splitext(filename)[-1]}")
+            savepath = os.path.normpath(os.path.join(basepath, f"{uuid.uuid4().hex}{os.path.splitext(filename)[-1]}"))
+            if not savepath.startswith(basepath):
+                return HttpResponse("only for post")
             with open(savepath, 'wb+') as wfile:
                 for chunk in request.FILES[filename].chunks():
                     wfile.write(chunk)
