Project

Profile

Help

Issue #8099

closed

File upload causes django.security.SuspiciousFileOperation:ERROR

Added by iballou about 3 years ago. Updated about 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Katello
Sprint:
Sprint 88
Quarter:

Description

Versions:

pulpcore 3.9.0

pulp-file 1.5.0

When trying to upload a file via /pulp/api/v3/uploads, a 400 is thrown with the error in the title.

Traceback:

Jan 14 21:13:48 centos7-katello-devel-2 pulpcore-api: pulp [f53c4be45f9c4504aec7518c24847b8e]: django.security.SuspiciousFileOperation:ERROR: The joined path (/var/lib/pulp/upload/867d321b-de81-4f0f-bad9-713f9e92dd5f) is located outside of the base path component (/var/lib/pulp/media)
Jan 14 21:13:48 centos7-katello-devel-2 pulpcore-api: pulp [f53c4be45f9c4504aec7518c24847b8e]: django.request:WARNING: Bad Request: /pulp/api/v3/uploads/ef9b403f-c0fe-49e7-b2df-c4199f534ef2/
Actions #1

Updated by iballou about 3 years ago

Seems to be an issue with uploading RPMs too.

Actions #2

Updated by fao89 about 3 years ago

  • Triaged changed from No to Yes
Actions #3

Updated by jsherril@redhat.com about 3 years ago

  • Priority changed from Normal to High
Actions #4

Updated by dkliban@redhat.com about 3 years ago

I believe this is due to the settings that were set by the installer. Pulpcore 3.10.0 is going to handle this much better, but we will not be able to fix it in 3.9.z.

[0] https://github.com/pulp/pulpcore/pull/799/

Actions #5

Updated by ekohl about 3 years ago

The problem is that chunked upload is required to be within the media root. If you configure settings.CHUNKED_UPLOAD_DIR outside of that, it's deemed insecure since it could be trying to write to a insecure location.

In https://github.com/pulp/pulpcore/pull/799 I've chosen to configure it as a separate storage (https://github.com/pulp/pulpcore/pull/799/files#diff-3b7393fd8979f6a11ff65fe14ec74103a030415a943ce38a6eac7de85a2d92fdR11) and then use that in the upload form (https://github.com/pulp/pulpcore/pull/799/files#diff-03bb26bef2f063c5e13c435d8c58f624a9649bad78b53df8cc2463204238f674R62). That makes Django think that it's safe (which it is).

Actions #6

Updated by dkliban@redhat.com about 3 years ago

  • Sprint set to Sprint 88
Actions #7

Updated by dkliban@redhat.com about 3 years ago

  • Assignee set to ekohl
Actions #8

Updated by pulpbot about 3 years ago

  • Status changed from NEW to POST

Added by dkliban@redhat.com about 3 years ago

Revision a8053124 | View on GitHub

Make CHUNKED_UPLOAD_DIR a relative path

In 1b6c736 uploads were changed to use the default storage (uses settings.MEDIA_ROOT). Anything that's written outside of storage location raises a SuspiciousOperation. That already made the implicit requirement that CHUNKED_UPLOAD_DIR was relative.

Users could hit this if they modified MEDIA_ROOT in their settings but kept CHUNKED_UPLOAD_DIR default.

If a relative path is used, Django prepends the location and it is guaranteed to be a safe location. This changes the default value to be relative and updates the documentation to reflect this.

fixes: #8099 https://pulp.plan.io/issues/8099

Actions #10

Updated by dkliban@redhat.com about 3 years ago

  • Status changed from POST to MODIFIED

Added by dkliban@redhat.com about 3 years ago

Revision 9f6e1b12 | View on GitHub

Make CHUNKED_UPLOAD_DIR a relative path

In 1b6c736 uploads were changed to use the default storage (uses settings.MEDIA_ROOT). Anything that's written outside of storage location raises a SuspiciousOperation. That already made the implicit requirement that CHUNKED_UPLOAD_DIR was relative.

Users could hit this if they modified MEDIA_ROOT in their settings but kept CHUNKED_UPLOAD_DIR default.

If a relative path is used, Django prepends the location and it is guaranteed to be a safe location. This changes the default value to be relative and updates the documentation to reflect this.

fixes: #8099 https://pulp.plan.io/issues/8099

Actions #12

Updated by dkliban@redhat.com about 3 years ago

  • Sprint/Milestone set to 3.9.1
Actions #13

Updated by ttereshc about 3 years ago

  • Sprint/Milestone changed from 3.9.1 to 3.10.0
Actions #14

Updated by ttereshc about 3 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE
  • Sprint/Milestone changed from 3.10.0 to 3.9.1

Also available in: Atom PDF