search

jschneier / django-storages

https://django-storages.readthedocs.io/
BSD 3-Clause "New" or "Revised" License
2.76k stars 863 forks source link

Dropbox - path in Django field is broken in 1.13.1+ #1213

Closed nitr0man closed 1 year ago

nitr0man commented 1 year ago

I have Django installation with Dropbox storage for FileField content. With this settings it strips 2 symbols in path: 

DROPBOX_ROOT_PATH = '/app.pbb.foo/'
DEFAULT_FILE_STORAGE = 'storages.backends.dropbox.DropBoxStorage'

for ex., for field

    file = models.FileField(
        upload_to='backups',
        blank=True,
        validators=[backup_file_validator]
    )

when I tried to store file site55-full_2023_02_07_13_13_49.tar.gz I've got ckups/site55-full_2023_02_07_13_13_49.tar.gz in FileField instead of backups/site55-full_2023_02_07_13_13_49.tar.gz and of course file is unavailable in app.

with 1.9.1 all is OK; 1.10.0-1.13.0 raise exception SuspiciousFileOperation: Detected path traversal attempt due to leading slash in path.

but with

DROPBOX_ROOT_PATH = '/app.poo.foo/'

first 2 symbols aren't stripped.

Python 3.8, Django 3.2, dropbox 11.36.0

jschneier commented 1 year ago

Is the issue with DROPBOX_ROOT_PATH = '/app.poo.foo/' or something else stripping the beginning of backups?

nitr0man commented 1 year ago

yes. I've got ckups/.... instead of backups/... in model

jschneier commented 1 year ago

What is the content of backup_file_validator? I'm struggling to see how this app causes this issue but I can't say it's impossible.

nitr0man commented 1 year ago

just validation of file content (check that it's .tar.gz file).

jschneier commented 1 year ago

Sorry, was a bit daft and forgot about the reality of lstrip vs removeprefix. This is now fixed.