Project

Profile

Help

Issue #8099

closed

File upload causes django.security.SuspiciousFileOperation:ERROR

Added by iballou almost 4 years ago. Updated almost 4 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Katello
Sprint:
Sprint 88
Quarter:

Description

Versions:

pulpcore 3.9.0

pulp-file 1.5.0

When trying to upload a file via /pulp/api/v3/uploads, a 400 is thrown with the error in the title.

Traceback:

Jan 14 21:13:48 centos7-katello-devel-2 pulpcore-api: pulp [f53c4be45f9c4504aec7518c24847b8e]: django.security.SuspiciousFileOperation:ERROR: The joined path (/var/lib/pulp/upload/867d321b-de81-4f0f-bad9-713f9e92dd5f) is located outside of the base path component (/var/lib/pulp/media)
Jan 14 21:13:48 centos7-katello-devel-2 pulpcore-api: pulp [f53c4be45f9c4504aec7518c24847b8e]: django.request:WARNING: Bad Request: /pulp/api/v3/uploads/ef9b403f-c0fe-49e7-b2df-c4199f534ef2/

Also available in: Atom PDF