Opened 15 years ago
Closed 12 years ago
#12397 closed Bug (fixed)
FileSystemStorage(location='/') does not work: SuspiciousOperation
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | File uploads/storage | Version: | 1.1 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
>>> from django.core.files.storage import FileSystemStorage >>> >>> LOCAL_FS = FileSystemStorage(location='/', base_url='invalid://') >>> LOCAL_FS.path('anything') Traceback (most recent call last): File "<console>", line 1, in <module> File "/usr/local/lib/python2.5/site-packages/django/core/files/storage.py", line 214, in path raise SuspiciousOperation("Attempted access to '%s' denied." % name) SuspiciousOperation: Attempted access to 'anything' denied.
This is caused because safe_join expects the first character after the storage.location ('base' in safe_join) to be a separator. When base='/foo' this is true because '/foo/anything' has a '/' after '/foo', but when path is '/' you don't get 'anything', you get '/anything', and the first character after '/' is 'a'.
I don't see a way to hack around this because of all the path normalization that goes on. You'd think '/.' might work, but it gets normalized and then fails.
Change History (5)
comment:1 by , 15 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:2 by , 14 years ago
Severity: | → Normal |
---|---|
Type: | → Bug |
comment:5 by , 12 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
I would be remiss if I didn't point out that opening '/' as the root of a file system store has all sorts of security implications. However, from a "consenting adults" perspective, I can't see any reason that it shouldn't be allowed.