1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
from pathlib import Path
from python_multipart.multipart import File
def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path) -> None:
upload_dir = tmp_path / "upload"
upload_dir.mkdir()
# When the file_name provided has a leading slash, we should only use the basename.
# This is to avoid directory traversal.
to_upload = tmp_path / "foo.txt"
file = File(
bytes(to_upload),
config={
"UPLOAD_DIR": bytes(upload_dir),
"UPLOAD_KEEP_FILENAME": True,
"UPLOAD_KEEP_EXTENSIONS": True,
"MAX_MEMORY_FILE_SIZE": 10,
},
)
file.write(b"123456789012")
assert not file.in_memory
assert Path(upload_dir / "foo.txt").exists()
assert Path(upload_dir / "foo.txt").read_bytes() == b"123456789012"
|
