当前位置: 文江博客话题详情

上传图片时的可疑文件操作

发布于 2025-01-10 12:24:08 字数 6731 浏览 0 评论 0原文

我尝试在 django 管理面板中上传图片,但没有成功。我制作了一个包含基本信息的最小应用程序,但当我想将 ImageField 上传到服务器(存储在 Dropbox 上)时,它失败了。我安装了 django-storages ,这是我的设置:

DROPBOX_OAUTH2_TOKEN = "my_token_here"
DROPBOX_ROOT_PATH    = 'storage'

我的模型:

class Picture(BaseModel):
    title = models.CharField(max_length=80, default='', blank=True)
    description = models.TextField(default='', blank=True)
    image = models.ImageField(blank=True, null=True)

我收到以下错误:

SuspiciousFileOperation at /
Detected path traversal attempt in '/home/me/Code/my-project/storage/my_image.JPG'

Environment:

Request Method: POST
Request URL: http://127.0.0.1:8001/admin/gallery/picture/add/

Django Version: 4.0.2
Python Version: 3.8.10
Installed Applications:
['django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'gallery']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware']



Traceback (most recent call last):
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/core/handlers/base.py", line 181, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/contrib/admin/options.py", line 622, in wrapper
    return self.admin_site.admin_view(view)(*args, **kwargs)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/utils/decorators.py", line 130, in _wrapped_view
    response = view_func(request, *args, **kwargs)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/views/decorators/cache.py", line 57, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/contrib/admin/sites.py", line 236, in inner
    return view(request, *args, **kwargs)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/contrib/admin/options.py", line 1670, in add_view
    return self.changeform_view(request, None, form_url, extra_context)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/utils/decorators.py", line 43, in _wrapper
    return bound_method(*args, **kwargs)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/utils/decorators.py", line 130, in _wrapped_view
    response = view_func(request, *args, **kwargs)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/contrib/admin/options.py", line 1549, in changeform_view
    return self._changeform_view(request, object_id, form_url, extra_context)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/contrib/admin/options.py", line 1599, in _changeform_view
    self.save_model(request, new_object, form, not add)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/contrib/admin/options.py", line 1108, in save_model
    obj.save()
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/base.py", line 743, in save
    self.save_base(using=using, force_insert=force_insert,
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/base.py", line 780, in save_base
    updated = self._save_table(
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/base.py", line 885, in _save_table
    results = self._do_insert(cls._base_manager, using, fields, returning_fields, raw)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/base.py", line 923, in _do_insert
    return manager._insert(
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/manager.py", line 85, in manager_method
    return getattr(self.get_queryset(), name)(*args, **kwargs)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/query.py", line 1301, in _insert
    return query.get_compiler(using=using).execute_sql(returning_fields)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1440, in execute_sql
    for sql, params in self.as_sql():
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1382, in as_sql
    value_rows = [
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1383, in <listcomp>
    [self.prepare_value(field, self.pre_save_val(field, obj)) for field in fields]
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1383, in <listcomp>
    [self.prepare_value(field, self.pre_save_val(field, obj)) for field in fields]
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1334, in pre_save_val
    return field.pre_save(obj, add=True)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/fields/files.py", line 302, in pre_save
    file.save(file.name, file.file, save=False)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/fields/files.py", line 89, in save
    self.name = self.storage.save(name, content, max_length=self.field.max_length)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/core/files/storage.py", line 56, in save
    validate_file_name(name, allow_relative_path=True)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/core/files/utils.py", line 18, in validate_file_name
    raise SuspiciousFileOperation(

Exception Type: SuspiciousFileOperation at /admin/gallery/picture/add/
Exception Value: Detected path traversal attempt in '/home/me/Code/my-project/patrimoine/storage/2020-4-3-IMG_7410.JPG'

我在网上搜索了此错误,发现它与相对/绝对路径有关,但没有找到解决方法。我尝试将 DROPBOX_ROOT_PATH'/storage' 更改为 '',但它没有改变任何内容。

我不得不说,图片已上传到我的 Dropbox,但模型对象尚未创建。

编辑:我在django-storage这篇文章 > 存储库,似乎出现此问题是因为 Dropbox 获取完整路径作为名称,但 django 只需要文件名+扩展名(归功于@churongcon)。目前看来还没有解决办法。

原文

I try to upload a picture in django admin panel, without success. I made a minimal app with basic information, but it fails when I want to upload the ImageField to the server (storage on Dropbox). I installed django-storages, and here are my settings :

DROPBOX_OAUTH2_TOKEN = "my_token_here"
DROPBOX_ROOT_PATH    = 'storage'

My model :

class Picture(BaseModel):
    title = models.CharField(max_length=80, default='', blank=True)
    description = models.TextField(default='', blank=True)
    image = models.ImageField(blank=True, null=True)

I get the following error :

SuspiciousFileOperation at /
Detected path traversal attempt in '/home/me/Code/my-project/storage/my_image.JPG'

Environment:

Request Method: POST
Request URL: http://127.0.0.1:8001/admin/gallery/picture/add/

Django Version: 4.0.2
Python Version: 3.8.10
Installed Applications:
['django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'gallery']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware']



Traceback (most recent call last):
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/core/handlers/base.py", line 181, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/contrib/admin/options.py", line 622, in wrapper
    return self.admin_site.admin_view(view)(*args, **kwargs)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/utils/decorators.py", line 130, in _wrapped_view
    response = view_func(request, *args, **kwargs)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/views/decorators/cache.py", line 57, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/contrib/admin/sites.py", line 236, in inner
    return view(request, *args, **kwargs)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/contrib/admin/options.py", line 1670, in add_view
    return self.changeform_view(request, None, form_url, extra_context)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/utils/decorators.py", line 43, in _wrapper
    return bound_method(*args, **kwargs)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/utils/decorators.py", line 130, in _wrapped_view
    response = view_func(request, *args, **kwargs)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/contrib/admin/options.py", line 1549, in changeform_view
    return self._changeform_view(request, object_id, form_url, extra_context)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/contrib/admin/options.py", line 1599, in _changeform_view
    self.save_model(request, new_object, form, not add)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/contrib/admin/options.py", line 1108, in save_model
    obj.save()
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/base.py", line 743, in save
    self.save_base(using=using, force_insert=force_insert,
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/base.py", line 780, in save_base
    updated = self._save_table(
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/base.py", line 885, in _save_table
    results = self._do_insert(cls._base_manager, using, fields, returning_fields, raw)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/base.py", line 923, in _do_insert
    return manager._insert(
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/manager.py", line 85, in manager_method
    return getattr(self.get_queryset(), name)(*args, **kwargs)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/query.py", line 1301, in _insert
    return query.get_compiler(using=using).execute_sql(returning_fields)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1440, in execute_sql
    for sql, params in self.as_sql():
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1382, in as_sql
    value_rows = [
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1383, in <listcomp>
    [self.prepare_value(field, self.pre_save_val(field, obj)) for field in fields]
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1383, in <listcomp>
    [self.prepare_value(field, self.pre_save_val(field, obj)) for field in fields]
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1334, in pre_save_val
    return field.pre_save(obj, add=True)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/fields/files.py", line 302, in pre_save
    file.save(file.name, file.file, save=False)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/db/models/fields/files.py", line 89, in save
    self.name = self.storage.save(name, content, max_length=self.field.max_length)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/core/files/storage.py", line 56, in save
    validate_file_name(name, allow_relative_path=True)
  File "/home/me/Code/my-project/env/lib/python3.8/site-packages/django/core/files/utils.py", line 18, in validate_file_name
    raise SuspiciousFileOperation(

Exception Type: SuspiciousFileOperation at /admin/gallery/picture/add/
Exception Value: Detected path traversal attempt in '/home/me/Code/my-project/patrimoine/storage/2020-4-3-IMG_7410.JPG'

I searched for this error on the web and found that it has something to do with relative/absolute paths, but didn't find a way to fix it. I tried to change DROPBOX_ROOT_PATH from '/storage', to '', but it didn't change anything.

I have to say that the pictures are uploaded to my Dropbox, but the model objects are not created.

EDIT: I found this post on django-storage repository, it seems like this issue occurs because Dropbox gets Full Path as a name but django needs only filename+extension (credit to @churongcon). There is no workaround for now it seems.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

陌上青苔 2025-01-17 12:24:08

存储添加到INSTALLED_APPS。然后将以下代码片段添加到 settings.py 中:

DEFAULT_FILE_STORAGE='storages.backends.dropbox.DropBoxStorage'

Add storages to INSTALLED_APPS. Then add the following code snippet to settings.py:

DEFAULT_FILE_STORAGE='storages.backends.dropbox.DropBoxStorage'
回复 原文
~没有更多了~

关于作者

二货你真萌

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

卷耳

文章 0 评论 0

佚名

文章 0 评论 0

℉服软

文章 0 评论 0

qq_2gSKZM

文章 0 评论 0

凉宸

文章 0 评论 0

gyhjy

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文