Invalid upload_to FileField attribute results in hard-to-debug "Bad Request" 400 error.
|Reported by:||GDorn||Owned by:||anubhav9042|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
It's admirable that django tries to prevent files from being uploaded outside of MEDIA_ROOT. However, the documentation for file uploads (https://docs.djangoproject.com/en/dev/topics/http/file-uploads/) doesn't make this requirement clear, and getting it wrong results in several layers of useful error messages getting eaten by a generic message instead.
It starts with django.utils._os.safe_join raising a ValueError if the upload_to path isn't within MEDIA_ROOT. This has a useful message payload showing both paths and why the exception happened. This message isn't logged.
However, django.core.files.storage.FileSystemStorage.path immediately catches that exception, eats the message, and raises a much more generic SuspiciousFileOperation, containing the desired path but no explanation of what went wrong.
Finally, django.core.handlers.base.BaseHandler.get_response catches that SuspiciousOperation, logs the message (good if you have logging turned on, which many users do not), eats the exception and returns a 400 response instead.
All the user sees is "400 Bad Request", no traceback and certainly not the original and useful ValueError message.
Change History (12)
comment:1 Changed 2 years ago by GDorn
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
- Summary changed from Invalid upload_to attribute results in hard-to-debug "Bad Request" 400 error. to Invalid upload_to FileField attribute results in hard-to-debug "Bad Request" 400 error.
comment:3 Changed 2 years ago by timo
- Cc timo added
- Component changed from Uncategorized to HTTP handling
- Type changed from Bug to Cleanup/optimization
comment:5 Changed 23 months ago by timo
- Component changed from HTTP handling to Documentation
- Triage Stage changed from Unreviewed to Accepted
comment:6 Changed 21 months ago by anubhav9042
- Owner changed from nobody to anubhav9042
- Status changed from new to assigned