Fabre

#1086654 python-django-storages: FTBFS: E django.core.exceptions.SuspiciousFileOperation: Detected path traversal attempt in '/foo' #1086654

Package:: src:python-django-storages

Source:: src:python-django-storages

Submitter:: Santiago Vila

Date:: 2024-11-03 00:18:10 UTC

Severity:: normal

Tags:

#1086654#5

Date:: 2024-11-03 00:15:04 UTC

From:

To:

Dear maintainer:

During a rebuild of all packages in bookworm + proposed-updates, your package failed to build:
--------------------------------------------------------------------------------
[...]
  debian/rules binary
dh binary --with python3,sphinxdoc --buildsystem=pybuild
    dh_update_autotools_config -O--buildsystem=pybuild
    dh_autoreconf -O--buildsystem=pybuild
    dh_auto_configure -O--buildsystem=pybuild
I: pybuild base:240: python3.11 setup.py config
running config
    dh_auto_build -O--buildsystem=pybuild
I: pybuild base:240: /usr/bin/python3 setup.py build
running build
running build_py
creating /<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages
copying storages/utils.py -> /<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages
copying storages/base.py -> /<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages
copying storages/__init__.py -> /<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages
copying storages/compress.py -> /<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages
creating /<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages/backends
copying storages/backends/azure_storage.py -> /<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages/backends
copying storages/backends/sftpstorage.py -> /<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages/backends
copying storages/backends/apache_libcloud.py -> /<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages/backends
copying storages/backends/__init__.py -> /<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages/backends
copying storages/backends/gcloud.py -> /<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages/backends
copying storages/backends/s3boto3.py -> /<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages/backends
copying storages/backends/dropbox.py -> /<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages/backends
copying storages/backends/ftp.py -> /<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build/storages/backends
    dh_auto_test -O--buildsystem=pybuild
I: pybuild pybuild:307: cp -r /<<PKGBUILDDIR>>/tests /<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build
I: pybuild base:240: cd /<<PKGBUILDDIR>>/.pybuild/cpython3_3.11/build; python3.11 -m pytest --ignore=tests/integration
============================= test session starts ==============================
platform linux -- Python 3.11.2, pytest-7.2.1, pluggy-1.0.0+repack
rootdir: /<<PKGBUILDDIR>>
collected 152 items / 2 skipped

tests/test_dropbox.py .............F......F.                             [ 14%]
tests/test_ftp.py ...............................                        [ 34%]
tests/test_s3boto3.py .s...........................................      [ 64%]
tests/test_sftp.py .............................                         [ 83%]
tests/test_utils.py .........................                            [100%]

=================================== FAILURES ===================================


tests/test_dropbox.py:143:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
/usr/lib/python3/dist-packages/django/core/files/storage.py:62: in save
     validate_file_name(name, allow_relative_path=True)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

name = '/foo', allow_relative_path = True

     def validate_file_name(name, allow_relative_path=False):
         # Remove potentially dangerous names
         if os.path.basename(name) in {'', '.', '..'}:
             raise SuspiciousFileOperation("Could not derive file name from '%s'" % name)

         if allow_relative_path:
             # Ensure that name can be treated as a pure posix path, i.e. Unix
             # style (with forward slashes).
             path = pathlib.PurePosixPath(str(name).replace("\\", "/"))
             if path.is_absolute() or '..' in path.parts:
/usr/lib/python3/dist-packages/django/core/files/utils.py:17: SuspiciousFileOperation

tests/test_dropbox.py:207:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
/usr/lib/python3/dist-packages/django/core/files/storage.py:62: in save
     validate_file_name(name, allow_relative_path=True)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

name = '/bar/xyz', allow_relative_path = True

     def validate_file_name(name, allow_relative_path=False):
         # Remove potentially dangerous names
         if os.path.basename(name) in {'', '.', '..'}:
             raise SuspiciousFileOperation("Could not derive file name from '%s'" % name)

         if allow_relative_path:
             # Ensure that name can be treated as a pure posix path, i.e. Unix
             # style (with forward slashes).
             path = pathlib.PurePosixPath(str(name).replace("\\", "/"))
             if path.is_absolute() or '..' in path.parts:
/usr/lib/python3/dist-packages/django/core/files/utils.py:17: SuspiciousFileOperation
=============================== warnings summary ===============================
../../../../../../usr/lib/python3/dist-packages/django/http/request.py:1
   /usr/lib/python3/dist-packages/django/http/request.py:1: DeprecationWarning: 'cgi' is deprecated and slated for removal in Python 3.13
     import cgi

../../../../../../usr/lib/python3/dist-packages/django/utils/encoding.py:266
   /usr/lib/python3/dist-packages/django/utils/encoding.py:266: DeprecationWarning: Use setlocale(), getencoding() and getlocale() instead
     encoding = locale.getdefaultlocale()[1] or 'ascii'

#1086654 python-django-storages: FTBFS: E django.core.exceptions.SuspiciousFileOperation: Detected path traversal attempt in '/foo' #1086654

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)