Issue #8099: File upload causes django.security.SuspiciousFileOperation:ERROR - Pulp

Agile board
Agile charts

Agile boards

Pulp 2 QE Agile Board
Pulp 2 QE Agile Board - Priority View
Pulp 3 QE Agile Board
Pulp 3 RPM Tests Agile Board
Sprint 112 Agile Board

Custom queries

[All Projects] All Test Trackers
2.21.4 - Next Bugfix Release
2.21.4 MODIFIED
2.21.5
3.14.3
CI/CD
Easy Fix
FIPS open
Functional Tests
Galaxy NG
Groomed
Installer - Triage
Installer Items
Issues for Triage
Katello Integration
Next Docs Day
Operator issues
POST/ASSIGNED - no Sprint - Pulp2
POST/ASSIGNED - no Sprint - Pulp3
Prioritized Bugs
Pulp 3 Docs issues
Pulp2 issues available for next release
Pulpcore
SELinux related
Sprint 111
Sprint 112
Sprint Candidates (also groomed)
Un-Triaged Bugs
Verification Required

Actions

Send by e-mail Copy link

Issue #8099

closed

File upload causes django.security.SuspiciousFileOperation:ERROR

Added by iballou almost 4 years ago. Updated almost 4 years ago.

Status:

CLOSED - CURRENTRELEASE

Priority:

High

Assignee:

ekohl

Category:

Sprint/Milestone:

3.9.1

Start date:

Due date:

Estimated time:

Severity:

2. Medium

Version:

Platform Release:

OS:

Triaged:

Yes

Groomed:

Sprint Candidate:

Tags:

Katello

Sprint:

Sprint 88

Quarter:

Description

Versions:

pulpcore 3.9.0

pulp-file 1.5.0

When trying to upload a file via /pulp/api/v3/uploads, a 400 is thrown with the error in the title.

Traceback:

Jan 14 21:13:48 centos7-katello-devel-2 pulpcore-api: pulp [f53c4be45f9c4504aec7518c24847b8e]: django.security.SuspiciousFileOperation:ERROR: The joined path (/var/lib/pulp/upload/867d321b-de81-4f0f-bad9-713f9e92dd5f) is located outside of the base path component (/var/lib/pulp/media)
Jan 14 21:13:48 centos7-katello-devel-2 pulpcore-api: pulp [f53c4be45f9c4504aec7518c24847b8e]: django.request:WARNING: Bad Request: /pulp/api/v3/uploads/ef9b403f-c0fe-49e7-b2df-c4199f534ef2/

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by iballou almost 4 years ago

Seems to be an issue with uploading RPMs too.

Actions

Copy link

Updated by fao89 almost 4 years ago

Triaged changed from No to Yes

Actions

Copy link

Updated by jsherril@redhat.com almost 4 years ago

Priority changed from Normal to High

Actions

Copy link

Updated by dkliban@redhat.com almost 4 years ago

I believe this is due to the settings that were set by the installer. Pulpcore 3.10.0 is going to handle this much better, but we will not be able to fix it in 3.9.z.

[0] https://github.com/pulp/pulpcore/pull/799/

Actions

Copy link

Updated by ekohl almost 4 years ago

The problem is that chunked upload is required to be within the media root. If you configure settings.CHUNKED_UPLOAD_DIR outside of that, it's deemed insecure since it could be trying to write to a insecure location.

In https://github.com/pulp/pulpcore/pull/799 I've chosen to configure it as a separate storage (https://github.com/pulp/pulpcore/pull/799/files#diff-3b7393fd8979f6a11ff65fe14ec74103a030415a943ce38a6eac7de85a2d92fdR11) and then use that in the upload form (https://github.com/pulp/pulpcore/pull/799/files#diff-03bb26bef2f063c5e13c435d8c58f624a9649bad78b53df8cc2463204238f674R62). That makes Django think that it's safe (which it is).

Actions

Copy link

Updated by dkliban@redhat.com almost 4 years ago

Sprint set to Sprint 88

Actions

Copy link

Updated by dkliban@redhat.com almost 4 years ago

Assignee set to ekohl

Actions

Copy link

Updated by pulpbot almost 4 years ago

Status changed from NEW to POST

PR: https://github.com/pulp/pulpcore/pull/1074

Actions

Copy link

Updated by pulpbot almost 4 years ago

PR: https://github.com/pulp/pulpcore/pull/1078

Added by dkliban@redhat.com almost 4 years ago

Revision a8053124 | View on GitHub

Make CHUNKED_UPLOAD_DIR a relative path

In 1b6c736 uploads were changed to use the default storage (uses settings.MEDIA_ROOT). Anything that's written outside of storage location raises a SuspiciousOperation. That already made the implicit requirement that CHUNKED_UPLOAD_DIR was relative.

Users could hit this if they modified MEDIA_ROOT in their settings but kept CHUNKED_UPLOAD_DIR default.

If a relative path is used, Django prepends the location and it is guaranteed to be a safe location. This changes the default value to be relative and updates the documentation to reflect this.

fixes: #8099 https://pulp.plan.io/issues/8099

Actions

Copy link

#10

Updated by dkliban@redhat.com almost 4 years ago

Status changed from POST to MODIFIED

Applied in changeset pulpcore|a805312435188aaeeb82b38700598af1c1d001aa.

Actions

Copy link

#11

Updated by pulpbot almost 4 years ago

PR: https://github.com/pulp/pulpcore/pull/1080

Added by dkliban@redhat.com almost 4 years ago

Revision 9f6e1b12 | View on GitHub

Make CHUNKED_UPLOAD_DIR a relative path

Users could hit this if they modified MEDIA_ROOT in their settings but kept CHUNKED_UPLOAD_DIR default.

If a relative path is used, Django prepends the location and it is guaranteed to be a safe location. This changes the default value to be relative and updates the documentation to reflect this.

fixes: #8099 https://pulp.plan.io/issues/8099

Actions

Copy link

#12