id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 10147 Possible wrong check in django.utils._os Moorthy RS nobody "I have a model that accepts an Image. And I have specified the upload_dir to /home/myproject/media/upload. And whenever I try to save an image, it gives an error ""SuspiciousOperation: Attempted access to /home/myproject/media/upload/image.png denied"". Problem appears only when used with Apache, but with the development server, there were no errors. I searched and found that the only suggestion was a possible missing or extra ""/"" separator. I tried specifying without and with the leading slash, but with no luck. I debugged around and found this code, responsible for the error: {{{ if not final_path.startswith(base_path) \ or final_path[base_path_len:base_path_len+1] not in ('', sep): raise ValueError('the joined path is located outside of the base path' ' component') }}} I found base_path was a ""/"" and final_path was ""/home/myproject/media/upload"". And hence ""final_path.startswith(base_path)"" returns true and ""final_path[base_path_len:base_path_len+1] returns 'h' which IS not in empty string or sep. So the if condition should fail, but it was succeeding. I changed the code to this snippet (by adding appropriate paranthesis like ""if not (condition)"") and it started working correctly! {{{ if not (final_path.startswith(base_path) \ or final_path[base_path_len:base_path_len+1] not in ('', sep)): raise ValueError('the joined path is located outside of the base path' ' component') }}} I am a newbie in python (and as well in django), but I see the lack of paranthesis has got the precedence going wrong, and an unexpected result. This needs to be corrected, as indicated above." Bug closed File uploads/storage 1.0 Normal needsinfo Design decision needed 0 0 0 0 0 0