if name in {'', '.', '..'}:
raise SuspiciousFileOperation("Could not derive file name from '%s'" % name)`
The class ChunkedUploadView initializes the file with an empty name:
`
def create_chunked_upload(self, save=False, attrs):
"""
Creates new chunked upload instance. Called if no 'upload_id' is
found in the POST data.
"""
chunked_upload = self.model(attrs)
The name needs to be changed to something not empty to fix this issue.
Until this issue is fixed, it is possible to override create_chunked_upload with a custom class:
`
class MyChunkedUploadView(ChunkedUploadView):
"""
This view receives the posted chunk
"""
model = ChunkedUploadedFile
field_name = 'the_file'
def create_chunked_upload(self, save=False, **attrs):
"""
Creates new chunked upload instance. Called if no 'upload_id' is
found in the POST data.
"""
chunked_upload = self.model(**attrs)
# file starts empty
chunked_upload.file.save(name='tmp', content=ContentFile(''), save=save)
return chunked_upload`
A new file security checkup in Django 2.2.21 throws SuspiciousFileOperation.
For reference see: https://docs.djangoproject.com/en/dev/releases/2.2.21/ https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d
Django now prevents empty file name:
`
Remove potentially dangerous names
The class ChunkedUploadView initializes the file with an empty name:
`
def create_chunked_upload(self, save=False, attrs): """ Creates new chunked upload instance. Called if no 'upload_id' is found in the POST data. """ chunked_upload = self.model(attrs)
file starts empty
The name needs to be changed to something not empty to fix this issue.
Until this issue is fixed, it is possible to override create_chunked_upload with a custom class:
` class MyChunkedUploadView(ChunkedUploadView): """ This view receives the posted chunk """