Project

Profile

Help

Issue #8099

closed

File upload causes django.security.SuspiciousFileOperation:ERROR

Added by iballou over 1 year ago. Updated over 1 year ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Katello
Sprint:
Sprint 88
Quarter:

Description

Versions:

pulpcore 3.9.0

pulp-file 1.5.0

When trying to upload a file via /pulp/api/v3/uploads, a 400 is thrown with the error in the title.

Traceback:

Jan 14 21:13:48 centos7-katello-devel-2 pulpcore-api: pulp [f53c4be45f9c4504aec7518c24847b8e]: django.security.SuspiciousFileOperation:ERROR: The joined path (/var/lib/pulp/upload/867d321b-de81-4f0f-bad9-713f9e92dd5f) is located outside of the base path component (/var/lib/pulp/media)
Jan 14 21:13:48 centos7-katello-devel-2 pulpcore-api: pulp [f53c4be45f9c4504aec7518c24847b8e]: django.request:WARNING: Bad Request: /pulp/api/v3/uploads/ef9b403f-c0fe-49e7-b2df-c4199f534ef2/
Actions #1

Updated by iballou over 1 year ago

Seems to be an issue with uploading RPMs too.

Actions #2

Updated by fao89 over 1 year ago

  • Triaged changed from No to Yes
Actions #3

Updated by jsherril@redhat.com over 1 year ago

  • Priority changed from Normal to High
Actions #4

Updated by dkliban@redhat.com over 1 year ago

I believe this is due to the settings that were set by the installer. Pulpcore 3.10.0 is going to handle this much better, but we will not be able to fix it in 3.9.z.

[0] https://github.com/pulp/pulpcore/pull/799/

Actions #5

Updated by ekohl over 1 year ago

The problem is that chunked upload is required to be within the media root. If you configure settings.CHUNKED_UPLOAD_DIR outside of that, it's deemed insecure since it could be trying to write to a insecure location.

In https://github.com/pulp/pulpcore/pull/799 I've chosen to configure it as a separate storage (https://github.com/pulp/pulpcore/pull/799/files#diff-3b7393fd8979f6a11ff65fe14ec74103a030415a943ce38a6eac7de85a2d92fdR11) and then use that in the upload form (https://github.com/pulp/pulpcore/pull/799/files#diff-03bb26bef2f063c5e13c435d8c58f624a9649bad78b53df8cc2463204238f674R62). That makes Django think that it's safe (which it is).

Actions #6

Updated by dkliban@redhat.com over 1 year ago

  • Sprint set to Sprint 88
Actions #7

Updated by dkliban@redhat.com over 1 year ago

  • Assignee set to ekohl
Actions #8

Updated by pulpbot over 1 year ago

  • Status changed from NEW to POST

Added by dkliban@redhat.com over 1 year ago

Revision a8053124

Make CHUNKED_UPLOAD_DIR a relative path

In 1b6c736 uploads were changed to use the default storage (uses settings.MEDIA_ROOT). Anything that's written outside of storage location raises a SuspiciousOperation. That already made the implicit requirement that CHUNKED_UPLOAD_DIR was relative.

Users could hit this if they modified MEDIA_ROOT in their settings but kept CHUNKED_UPLOAD_DIR default.

If a relative path is used, Django prepends the location and it is guaranteed to be a safe location. This changes the default value to be relative and updates the documentation to reflect this.

fixes: #8099 https://pulp.plan.io/issues/8099

Actions #10

Updated by dkliban@redhat.com over 1 year ago

  • Status changed from POST to MODIFIED

Added by dkliban@redhat.com over 1 year ago

Revision 9f6e1b12

Make CHUNKED_UPLOAD_DIR a relative path

In 1b6c736 uploads were changed to use the default storage (uses settings.MEDIA_ROOT). Anything that's written outside of storage location raises a SuspiciousOperation. That already made the implicit requirement that CHUNKED_UPLOAD_DIR was relative.

Users could hit this if they modified MEDIA_ROOT in their settings but kept CHUNKED_UPLOAD_DIR default.

If a relative path is used, Django prepends the location and it is guaranteed to be a safe location. This changes the default value to be relative and updates the documentation to reflect this.

fixes: #8099 https://pulp.plan.io/issues/8099

Actions #12

Updated by dkliban@redhat.com over 1 year ago

  • Sprint/Milestone set to 3.9.1
Actions #13

Updated by ttereshc over 1 year ago

  • Sprint/Milestone changed from 3.9.1 to 3.10.0
Actions #14

Updated by ttereshc over 1 year ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE
  • Sprint/Milestone changed from 3.10.0 to 3.9.1

Also available in: Atom PDF