Invalid upload_to FileField attribute results in hard-to-debug "Bad Request" 400 error.
|Reported by:||Sam Thompson||Owned by:||ANUBHAV JOSHI|
|Cc:||Tim Graham||Triage Stage:||Accepted|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
It's admirable that django tries to prevent files from being uploaded outside of MEDIA_ROOT. However, the documentation for file uploads (https://docs.djangoproject.com/en/dev/topics/http/file-uploads/) doesn't make this requirement clear, and getting it wrong results in several layers of useful error messages getting eaten by a generic message instead.
It starts with django.utils._os.safe_join raising a ValueError if the upload_to path isn't within MEDIA_ROOT. This has a useful message payload showing both paths and why the exception happened. This message isn't logged.
However, django.core.files.storage.FileSystemStorage.path immediately catches that exception, eats the message, and raises a much more generic SuspiciousFileOperation, containing the desired path but no explanation of what went wrong.
Finally, django.core.handlers.base.BaseHandler.get_response catches that SuspiciousOperation, logs the message (good if you have logging turned on, which many users do not), eats the exception and returns a 400 response instead.
All the user sees is "400 Bad Request", no traceback and certainly not the original and useful ValueError message.
Change History (12)
comment:1 Changed 3 years ago by
|Patch needs improvement:||unset|
|Summary:||Invalid upload_to attribute results in hard-to-debug "Bad Request" 400 error. → Invalid upload_to FileField attribute results in hard-to-debug "Bad Request" 400 error.|
comment:3 Changed 3 years ago by
|Cc:||Tim Graham added|
|Component:||Uncategorized → HTTP handling|
|Type:||Bug → Cleanup/optimization|
comment:5 Changed 2 years ago by
|Component:||HTTP handling → Documentation|
|Triage Stage:||Unreviewed → Accepted|