Hmm that can't be right.
Can you set a breakpoint on the line where the exception is raised:
SuspiciousFileOperation("Detected.....
When you set a breakpoint there, inspect the value of dir_name.
The ".parts" method breaks the file path up into a tuple, there shouldn't
be a ".." in the tuple.
On Fri, Feb 4, 2022, 10:49 AM Joalbert Palacios <[email protected]> wrote:
> Hi,
>
> dir_name in the exception is '/home/joalbert/Documents/Remesas
> App/RemesasServer/media/payments/images/filename.jpg'
>
> The setting for media is:
> Settings.py:
> MEDIA_ROOT = "./media/"#os.path.join(BASE_DIR, 'media')
> MEDIA_URL = '/media/'
>
> I try also with
> MEDIA_ROOT = os.path.join(BASE_DIR, 'media')
> where BASE_DIR = Path(__file__).resolve().parent.parent
>
> If you could tell me how could fix it, it would be nice. Since I do not
> have idea how to remove this exception.
>
> Sincerely,
> Joalbert
> On Friday, February 4, 2022 at 12:33:51 AM UTC-5 [email protected]
> wrote:
>
>> This is obviously some type of security feature to prevent someone from
>> climbing up a directory. You have ".." in your string for the file path
>> somewhere.
>>
>> What is the value of "dir_name" when the exception is raised? It should
>> be in the traceback somewhere. Should help narrow down where it's coming
>> from. Most likely a mistake you made in your settings file concating
>> strings related to where Django should upload files.
>>
>> On Thu, Feb 3, 2022, 2:12 PM Joalbert Palacios <[email protected]> wrote:
>>
>>> Hi group,
>>>
>>> I have been updating my django version so as to cover the last security
>>> patch with django version 3.2 (current version 3.2.12).
>>>
>>> Unfortunately, after this update the following exception occurs during
>>> execution of testing:
>>>
>>> Detected path traversal attempt in '/home/joalbert/Documents/Remesas
>>> App/RemesasServer/media/payments/images/temp_qHaTViL.png'
>>> Bad Request: /webapp/payment
>>>
>>> I have read
>>> https://stackoverflow.com/questions/69745412/django-and-suspiciousfileoperationdetected-path-traversal-attempt
>>> and followed but not works in my case, maybe I misunderstood something, I
>>> would appreciate any help regarding how to fix those exception.
>>>
>>> I read django code and find the errors is in the following section:
>>>
>>> def get_available_name(self, name, max_length=None):
>>>
>>> """
>>>
>>> Return a filename that's free on the target storage system and
>>>
>>> available for new content to be written to.
>>>
>>> """
>>>
>>> name = str(name).replace('\\', '/')
>>>
>>> dir_name, file_name = os.path.split(name)
>>>
>>> if '..' in pathlib.PurePath(dir_name).parts:
>>>
>>> raise SuspiciousFileOperation("Detected path traversal attempt in '%s'"
>>> % dir_name)
>>>
>>> Here it is my code in the sections that code goes by to send response to
>>> client.
>>>
>>> *Model.py:*
>>> class Payment(models.Model):
>>> STATUS = ((0, _("Draft")), (1, _("Aproved")), (2 , _("Rejected")), (3,
>>> _("Released")))
>>> order_number_id = models.OneToOneField(Exchange_Order,
>>> on_delete=models.CASCADE, related_name="order_payment")
>>> user_id =models.ForeignKey(User, verbose_name=_('user'), on_delete=
>>> models.CASCADE, related_name="payment_user_id")
>>> capture = models.FileField(verbose_name=_('image'),
>>> upload_to="payments/images", max_length=1024)
>>> payment_date = models.DateTimeField(verbose_name=_('date'),
>>> default=datetime.now().replace(tzinfo=timezone.utc))
>>> status = models.PositiveSmallIntegerField(verbose_name=_('status'),
>>> default=0, choices=STATUS)
>>> reason = models.ForeignKey(Reasons,verbose_name=_('reason'),
>>> on_delete=models.CASCADE, related_name="payment_reason",
>>> null=True, blank=True)
>>>
>>> def __str__(self) -> str:
>>> return f"{self.order_number_id} {self.user_id.username}
>>> {self.payment_date}"
>>> class Meta: #new
>>> verbose_name = _("Payment from Client to 'Activo Digital'")
>>> verbose_name_plural = _("Payments from Client to 'Activo Digital'")
>>>
>>> *forms.py*
>>> class Payment_All_Form(forms.ModelForm):
>>> class Meta:
>>> model = Payment
>>> fields = "__all__"
>>> views.py (only post method is included for clarity)
>>> class PaymentSessionView(LoginRequiredMixin, CreateView):
>>> queryset = Payment.objects.all()
>>> form_class = Payment_Form
>>> http_method_names = ['get', 'post']
>>> template_name="clienteServidor/webapp/payment.html"
>>>
>>> @method_decorator(User_Detail_Permission_Web)
>>> def post(self, request, *args, **kwargs):
>>> models = Exchange_Order.objects.filter(status=0, user_id=request.user)
>>> # En caso de que no haya ordenes abiertas
>>> if not models.exists():
>>> context =self._add_context_data()
>>> context["existant"] ="No hay orden abierta"
>>> context["form"] = Payment_Form()
>>> return render(request,self.template_name, context)
>>> # Procesar pago para ordenes abiertas
>>> forms = []
>>> data_list = []
>>> order_ids = []
>>> for model in models:
>>> my_data = self._complete_data(request, model.id)
>>> data_list.append(my_data)
>>> order_ids.append(f"Orden: {model.id}")
>>> forms.append(Payment_All_Form(my_data,request.FILES))
>>> # Chequear que todas las formas sean validas
>>> are_valids = []
>>> for form in forms:
>>> are_valids.append(form.is_valid())
>>> # If any invalid
>>> if False in are_valids:
>>> for index, items in enumerate(are_valids):
>>> if not items:
>>> form = forms[index]
>>> context = self._add_context_data()
>>> context["form"] = form
>>> return render(request,self.template_name, context)
>>> for index, model in enumerate(models):
>>> if index == 0:
>>> forms[index].save()
>>> else:
>>> data_list[index]["order_number_id"]=model
>>> data_list[index]["user_id"]=request.user
>>> datum = {k:v for k,v in data_list[index].items() if
>>> k!="csrfmiddlewaretoken"}
>>> payment = Payment(**datum)
>>> payment.save()
>>> model.status=1
>>> model.grouped_orders = order_ids
>>> model.save()
>>> my_message ="Orden Nro "+ str(model.id) + (" fue procesada
>>> exitosamente, les estaremos notificando"
>>> " por correo cuando el pago sea validado y procesado en el destino.")
>>> messages.add_message(request, messages.INFO, my_message)
>>> return HttpResponseRedirect(reverse_lazy("transaction_web"))
>>>
>>> Settings.py:
>>> MEDIA_ROOT = "./media/"#os.path.join(BASE_DIR, 'media')
>>> MEDIA_URL = '/media/'
>>>
>>> I hope sincerely that you could have any answer how to fix it. I really
>>> appreciate your help regarding this issue.
>>>
>>> Sincerely,
>>> Joalbert
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Django users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/django-users/35a15616-92fc-41d4-97b3-8fb3061ec881n%40googlegroups.com
>>> <https://groups.google.com/d/msgid/django-users/35a15616-92fc-41d4-97b3-8fb3061ec881n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/9de4405b-bff1-4b5f-a9ce-ec449d367d0en%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/9de4405b-bff1-4b5f-a9ce-ec449d367d0en%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/CAF-Y%3De76d0uAHVK%3DskcYo82HVPAk8vNpuKakofvhvD-ep%2BBArw%40mail.gmail.com.
