Opened 5 years ago

Closed 3 years ago

#12397 closed Bug (fixed)

FileSystemStorage(location='/') does not work: SuspiciousOperation

Reported by: ben@… Owned by: nobody
Component: File uploads/storage Version: 1.1
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

>>> from django.core.files.storage import FileSystemStorage
>>>
>>> LOCAL_FS = FileSystemStorage(location='/', base_url='invalid://')
>>> LOCAL_FS.path('anything')
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/usr/local/lib/python2.5/site-packages/django/core/files/storage.py", line 214, in path
    raise SuspiciousOperation("Attempted access to '%s' denied." % name)
SuspiciousOperation: Attempted access to 'anything' denied.

This is caused because safe_join expects the first character after the storage.location ('base' in safe_join) to be a separator. When base='/foo' this is true because '/foo/anything' has a '/' after '/foo', but when path is '/' you don't get 'anything', you get '/anything', and the first character after '/' is 'a'.

I don't see a way to hack around this because of all the path normalization that goes on. You'd think '/.' might work, but it gets normalized and then fails.

Change History (5)

comment:1 Changed 5 years ago by russellm

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

I would be remiss if I didn't point out that opening '/' as the root of a file system store has all sorts of security implications. However, from a "consenting adults" perspective, I can't see any reason that it shouldn't be allowed.

comment:2 Changed 4 years ago by mattmcc

  • Severity set to Normal
  • Type set to Bug

comment:3 Changed 3 years ago by aaugustin

  • UI/UX unset

Change UI/UX from NULL to False.

comment:4 Changed 3 years ago by aaugustin

  • Easy pickings unset

Change Easy pickings from NULL to False.

comment:5 Changed 3 years ago by Alex Gaynor <alex.gaynor@…>

  • Resolution set to fixed
  • Status changed from new to closed

In [b865009d414a0f6fd0c0f5ad7434b2c13eb761c7]:

Fixed #12397 -- allow safe_join to work with the root file system path, which means you can have your root template or file upload path at this location. You almost certainly don't want to do this, except in *very* limited sandboxed situations.

Note: See TracTickets for help on using tickets.
Back to Top