search

juliomalegria / django-chunked-upload

Upload large files to Django in multiple chunks, with the ability to resume if the upload is interrupted.
MIT No Attribution
214 stars 71 forks source link

SuspiciousFileOperation with Django 2.2.21 #60

Open courcelm opened 3 years ago

courcelm commented 3 years ago

A new file security checkup in Django 2.2.21 throws SuspiciousFileOperation.

For reference see: https://docs.djangoproject.com/en/dev/releases/2.2.21/ https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d

Django now prevents empty file name:

`

Remove potentially dangerous names

if name in {'', '.', '..'}:
    raise SuspiciousFileOperation("Could not derive file name from '%s'" % name)`

The class ChunkedUploadView initializes the file with an empty name:

`
def create_chunked_upload(self, save=False, attrs): """ Creates new chunked upload instance. Called if no 'upload_id' is found in the POST data. """ chunked_upload = self.model(attrs)

file starts empty

    chunked_upload.file.save(name='', content=ContentFile(''), save=save)
    return chunked_upload`

The name needs to be changed to something not empty to fix this issue.

Until this issue is fixed, it is possible to override create_chunked_upload with a custom class:

` class MyChunkedUploadView(ChunkedUploadView): """ This view receives the posted chunk """

model = ChunkedUploadedFile
field_name = 'the_file'

def create_chunked_upload(self, save=False, **attrs):
    """
    Creates new chunked upload instance. Called if no 'upload_id' is
    found in the POST data.
    """
    chunked_upload = self.model(**attrs)
    # file starts empty
    chunked_upload.file.save(name='tmp', content=ContentFile(''), save=save)
    return chunked_upload`
i-am-b-soto commented 3 years ago

Hi.

Can confirm I have the same problem Django==3.1.4