Opened 10 years ago

Closed 7 years ago

#12397 closed Bug (fixed)

FileSystemStorage(location='/') does not work: SuspiciousOperation

Reported by: ben@… Owned by: nobody
Component: File uploads/storage Version: 1.1
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


>>> from import FileSystemStorage
>>> LOCAL_FS = FileSystemStorage(location='/', base_url='invalid://')
>>> LOCAL_FS.path('anything')
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/usr/local/lib/python2.5/site-packages/django/core/files/", line 214, in path
    raise SuspiciousOperation("Attempted access to '%s' denied." % name)
SuspiciousOperation: Attempted access to 'anything' denied.

This is caused because safe_join expects the first character after the storage.location ('base' in safe_join) to be a separator. When base='/foo' this is true because '/foo/anything' has a '/' after '/foo', but when path is '/' you don't get 'anything', you get '/anything', and the first character after '/' is 'a'.

I don't see a way to hack around this because of all the path normalization that goes on. You'd think '/.' might work, but it gets normalized and then fails.

Change History (5)

comment:1 Changed 10 years ago by Russell Keith-Magee

Triage Stage: UnreviewedAccepted

I would be remiss if I didn't point out that opening '/' as the root of a file system store has all sorts of security implications. However, from a "consenting adults" perspective, I can't see any reason that it shouldn't be allowed.

comment:2 Changed 8 years ago by Matt McClanahan

Severity: Normal
Type: Bug

comment:3 Changed 8 years ago by Aymeric Augustin

UI/UX: unset

Change UI/UX from NULL to False.

comment:4 Changed 8 years ago by Aymeric Augustin

Easy pickings: unset

Change Easy pickings from NULL to False.

comment:5 Changed 7 years ago by Alex Gaynor <alex.gaynor@…>

Resolution: fixed
Status: newclosed

In [b865009d414a0f6fd0c0f5ad7434b2c13eb761c7]:

Fixed #12397 -- allow safe_join to work with the root file system path, which means you can have your root template or file upload path at this location. You almost certainly don't want to do this, except in *very* limited sandboxed situations.

Note: See TracTickets for help on using tickets.
Back to Top