Issue #8099
closed
File upload causes django.security.SuspiciousFileOperation:ERROR
Description
Versions:
pulpcore 3.9.0
pulp-file 1.5.0
When trying to upload a file via /pulp/api/v3/uploads, a 400 is thrown with the error in the title.
Traceback:
Jan 14 21:13:48 centos7-katello-devel-2 pulpcore-api: pulp [f53c4be45f9c4504aec7518c24847b8e]: django.security.SuspiciousFileOperation:ERROR: The joined path (/var/lib/pulp/upload/867d321b-de81-4f0f-bad9-713f9e92dd5f) is located outside of the base path component (/var/lib/pulp/media) Jan 14 21:13:48 centos7-katello-devel-2 pulpcore-api: pulp [f53c4be45f9c4504aec7518c24847b8e]: django.request:WARNING: Bad Request: /pulp/api/v3/uploads/ef9b403f-c0fe-49e7-b2df-c4199f534ef2/
Updated by iballou over 3 years ago
Seems to be an issue with uploading RPMs too.
Updated by jsherril@redhat.com about 3 years ago
- Priority changed from Normal to High
Updated by dkliban@redhat.com about 3 years ago
I believe this is due to the settings that were set by the installer. Pulpcore 3.10.0 is going to handle this much better, but we will not be able to fix it in 3.9.z.
Updated by ekohl about 3 years ago
The problem is that chunked upload is required to be within the media root. If you configure settings.CHUNKED_UPLOAD_DIR outside of that, it's deemed insecure since it could be trying to write to a insecure location.
In https://github.com/pulp/pulpcore/pull/799 I've chosen to configure it as a separate storage (https://github.com/pulp/pulpcore/pull/799/files#diff-3b7393fd8979f6a11ff65fe14ec74103a030415a943ce38a6eac7de85a2d92fdR11) and then use that in the upload form (https://github.com/pulp/pulpcore/pull/799/files#diff-03bb26bef2f063c5e13c435d8c58f624a9649bad78b53df8cc2463204238f674R62). That makes Django think that it's safe (which it is).
Updated by pulpbot about 3 years ago
- Status changed from NEW to POST
Updated by pulpbot about 3 years ago
Added by dkliban@redhat.com about 3 years ago
Updated by dkliban@redhat.com about 3 years ago
- Status changed from POST to MODIFIED
Applied in changeset pulpcore|a805312435188aaeeb82b38700598af1c1d001aa.
Updated by pulpbot about 3 years ago
Added by dkliban@redhat.com about 3 years ago
Revision 9f6e1b12 | View on GitHub
Make CHUNKED_UPLOAD_DIR a relative path
In 1b6c736 uploads were changed to use the default storage (uses settings.MEDIA_ROOT). Anything that's written outside of storage location raises a SuspiciousOperation. That already made the implicit requirement that CHUNKED_UPLOAD_DIR was relative.
Users could hit this if they modified MEDIA_ROOT in their settings but kept CHUNKED_UPLOAD_DIR default.
If a relative path is used, Django prepends the location and it is guaranteed to be a safe location. This changes the default value to be relative and updates the documentation to reflect this.
Updated by ttereshc about 3 years ago
- Sprint/Milestone changed from 3.9.1 to 3.10.0
Updated by ttereshc about 3 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
- Sprint/Milestone changed from 3.10.0 to 3.9.1
.
Make CHUNKED_UPLOAD_DIR a relative path
In 1b6c736 uploads were changed to use the default storage (uses settings.MEDIA_ROOT). Anything that's written outside of storage location raises a SuspiciousOperation. That already made the implicit requirement that CHUNKED_UPLOAD_DIR was relative.
Users could hit this if they modified MEDIA_ROOT in their settings but kept CHUNKED_UPLOAD_DIR default.
If a relative path is used, Django prepends the location and it is guaranteed to be a safe location. This changes the default value to be relative and updates the documentation to reflect this.
fixes: #8099 https://pulp.plan.io/issues/8099