#20 Merged
alanjds alanjds
david david

SuspiciousOperation rasing if AWS_LOCATION ends with '/'

  1. Alan Justino avatarAlan Justino

Looks like safe_join tried to guard against paths like '/media' + 'other_folder' paths, but it is safe by being sure that '/media' ends with '/'.

A real problem could be '/media/' + 'path/../../media-parent-folder', which I tried to fix.

(btw, sorry by the misspelling at some commit title)

Comments (3)

  1. Ian Lewis

    I think you tried to do too much without really looking at why safe join was failing. It was failing because the base path ending in '/' caused the final comparison to be incorrect.

    Try something like this:

    def safe_join(base, *paths):
        A version of django.utils._os.safe_join for S3 paths.
        Joins one or more path components to the base path component intelligently.
        Returns a normalized version of the final path.
        The final path must be located inside of the base path component (otherwise
        a ValueError is raised).
        Paths outside the base path indicate a possible security sensitive operation.
        from urlparse import urljoin
        base_path = force_unicode(base)
        base_path = base_path.rstrip('/')
        paths = [force_unicode(p) for p in paths]
        final_path = urljoin(base_path + "/", *paths)
        # Ensure final_path starts with base_path and that the next character after
        # the final path is '/' (or nothing, in which case final_path must be
        # equal to base_path).
        base_path_len = len(base_path)
        if not final_path.startswith(base_path) \
           or final_path[base_path_len:base_path_len+1] not in ('', '/'):
            raise ValueError('the joined path is located outside of the base path'
                             ' component')
        return final_path

    I just stripped the '/' characters from the left of the base_path.

Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.