Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SuspiciousFileOperation with Django 2.2.21 #60

Open
courcelm opened this issue May 4, 2021 · 1 comment · May be fixed by #61
Open

SuspiciousFileOperation with Django 2.2.21 #60

courcelm opened this issue May 4, 2021 · 1 comment · May be fixed by #61

Comments

@courcelm
Copy link

courcelm commented May 4, 2021
edited
Loading

A new file security checkup in Django 2.2.21 throws SuspiciousFileOperation.

For reference see:
https://docs.djangoproject.com/en/dev/releases/2.2.21/
django/django@04ac162

Django now prevents empty file name:

# Remove potentially dangerous names if name in {'', '.', '..'}: raise SuspiciousFileOperation("Could not derive file name from '%s'" % name)

The class ChunkedUploadView initializes the file with an empty name:

def create_chunked_upload(self, save=False, **attrs): """ Creates new chunked upload instance. Called if no 'upload_id' is found in the POST data. """ chunked_upload = self.model(**attrs) # file starts empty chunked_upload.file.save(name='', content=ContentFile(''), save=save) return chunked_upload

The name needs to be changed to something not empty to fix this issue.

Until this issue is fixed, it is possible to override create_chunked_upload with a custom class:

`
class MyChunkedUploadView(ChunkedUploadView):
"""
This view receives the posted chunk
"""

model = ChunkedUploadedFile
field_name = 'the_file'

def create_chunked_upload(self, save=False, **attrs):
    """
    Creates new chunked upload instance. Called if no 'upload_id' is
    found in the POST data.
    """
    chunked_upload = self.model(**attrs)
    # file starts empty
    chunked_upload.file.save(name='tmp', content=ContentFile(''), save=save)
    return chunked_upload`
steverecio added a commit to steverecio/django-chunked-upload that referenced this issue May 6, 2021
@steverecio
use filename tmp instead of empty file (juliomalegria#60)
8b1feb9
@steverecio steverecio linked a pull request May 6, 2021 that will close this issue
Open
@i-am-b-soto
Copy link

i-am-b-soto commented May 13, 2021
edited
Loading

Hi.

Can confirm I have the same problem
Django==3.1.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #60 steverecio/django-chunked-upload
2 participants
@courcelm @i-am-b-soto