Opened 14 years ago
Closed 12 years ago
#12397 closed Bug (fixed)
FileSystemStorage(location='/') does not work: SuspiciousOperation
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | File uploads/storage | Version: | 1.1 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
>>> from django.core.files.storage import FileSystemStorage
>>>
>>> LOCAL_FS = FileSystemStorage(location='/', base_url='invalid://')
>>> LOCAL_FS.path('anything')
Traceback (most recent call last):
File "<console>", line 1, in <module>
File "/usr/local/lib/python2.5/site-packages/django/core/files/storage.py", line 214, in path
raise SuspiciousOperation("Attempted access to '%s' denied." % name)
SuspiciousOperation: Attempted access to 'anything' denied.
This is caused because safe_join expects the first character after the storage.location ('base' in safe_join) to be a separator. When base='/foo' this is true because '/foo/anything' has a '/' after '/foo', but when path is '/' you don't get 'anything', you get '/anything', and the first character after '/' is 'a'.
I don't see a way to hack around this because of all the path normalization that goes on. You'd think '/.' might work, but it gets normalized and then fails.
Change History (5)
comment:1 by , 14 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:2 by , 13 years ago
| Severity: | → Normal |
|---|---|
| Type: | → Bug |
comment:5 by , 12 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
I would be remiss if I didn't point out that opening '/' as the root of a file system store has all sorts of security implications. However, from a "consenting adults" perspective, I can't see any reason that it shouldn't be allowed.