Path Traversal: How ../../settings.py Escapes Your Media Directory — and How Django's safe_join Stops It
June 18, 2026
Path traversal in Django: how os.path.join lets attackers escape MEDIA_ROOT, why safe_join stops it, and when FileField eliminates the risk. OWASP A01:2021.