Fixes security issue with upload file name

[balkierode]

When the filename starts with '/', os.path.join ignores config['MediaRoot'] and just returns the raw_filename sent by the client. So if the client is compromised or malicious, it can write to any file in the server that can be written by the webserver process. E.g. below curl command will silently update .zshenv file

curl --form "upfile=@hacker-env-file;filename=/home/balkierode/.zshenv" --form filesize=123 --form password=xxxxxxxxxxxx http://x.x.x.x:8420

ref: https://docs.python.org/3/library/os.path.html#os.path.join

If a component is an absolute path, all previous components are thrown away and joining continues from the absolute path component.

[stephanepechard]

Great catch, thanks a lot!