Unverified Commit 47c1136b authored by Thom Wiggers's avatar Thom Wiggers 📐
Browse files

Unquote thumbnail URL

Fixes #390
parent ae728405
......@@ -14,7 +14,8 @@ from .models import Album, Photo
def validate_uploaded_archive(uploaded_file):
types = ['application/gzip', 'application/zip']
types = ['application/gzip', 'application/zip',
if magic.from_buffer(uploaded_file.read(), mime=True) not in types:
raise ValidationError("Only zip and tar files are allowed.")
......@@ -19,6 +19,7 @@ def _private_thumbnails_unauthed(request, size_fit, original_path):
to the authentication requirements for thumbnails, e.g. when sharing
photo albums with external parties using access tokens.
original_path = urlunquote(original_path)
thumbpath = os.path.join(settings.MEDIA_ROOT, 'thumbnails', size_fit)
path = os.path.normpath(os.path.join(thumbpath, original_path))
if not os.path.commonpath([thumbpath, path]) == thumbpath:
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment