id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
10147	Possible wrong check in django.utils._os	Moorthy RS	nobody	"I have a model that accepts an Image. And I have specified the upload_dir to /home/myproject/media/upload. And whenever I try to save an image, it gives an error ""SuspiciousOperation: Attempted access to /home/myproject/media/upload/image.png denied"". Problem appears only when used with Apache, but with the development server, there were no errors. I searched and found that the only suggestion was a possible missing or extra ""/"" separator. I tried specifying without and with the leading slash, but with no luck.

I debugged around and found this code, responsible for the error:

{{{
    if not final_path.startswith(base_path) \
       or final_path[base_path_len:base_path_len+1] not in ('', sep):
        raise ValueError('the joined path is located outside of the base path'
                         ' component')

}}}

I found base_path was a ""/"" and final_path was ""/home/myproject/media/upload"". And hence ""final_path.startswith(base_path)"" returns true and ""final_path[base_path_len:base_path_len+1] returns 'h' which IS not in empty string or sep. So the if condition should fail, but it was succeeding. I changed the code to this snippet (by adding appropriate paranthesis like ""if not (condition)"") and it started working correctly!


{{{
    if not (final_path.startswith(base_path) \
       or final_path[base_path_len:base_path_len+1] not in ('', sep)):
        raise ValueError('the joined path is located outside of the base path'
                         ' component')

}}}

I am a newbie in python (and as well in django), but I see the lack of paranthesis has got the precedence going wrong, and an unexpected result.

This needs to be corrected, as indicated above."	Bug	closed	File uploads/storage	1.0	Normal	needsinfo			Design decision needed	0	0	0	0	0	0