Search code examples
djangodjango-modelsdjango-admin

How do I avoid a SuspiciousFileOperation when uploading a Django photo?


from django_resized import ResizedImageField
class UserProfilePhoto(Model):
    photo = ResizedImageField(size=[128, 128], upload_to=MEDIA_ROOT)

    photo_hash = BigIntegerField(
        blank=True,
        null=True,
        help_text=_("an integer representation of the hexdigest hash of the photo"),
    )


    def __str__(self):
        return f"{self.photo.name} ({self.photo_hash})"

I used to have a save() operation in the model, which would do the resizing but now I'm using Django-resized because after all that figuring out how to resize the photo and generate a hash value it turns out there is a module to do it already.

I'm adding a picture to the userprofilephoto in the admin.

SuspiciousFileOperation at /admin/userprofile/userprofilephoto/add/
Detected path traversal attempt in '/app/mine/media/mendlebrot-lawn.jpeg'

How do you turn off the error or the validation?

To answer some questions in advance:

No. I'm not going to go back to ImageField() It gave me the same problem with lots more code.


Solution

  • The upload_to argument is intended to specify a subdirectory or callable to determine where uploaded files should be stored relative to the MEDIA_ROOT, not an absolute path like you're currently using.

    Issue is MEDIA_ROOT is an absolute path pointing to the root of your media files , but upload_to is meant to handle subpath within MEDIA_ROOT. using the absolute path in upload_to may be interpreted as a path traversal attempt.

    You should upload upload_to to specify a relative directory within MEDIA_ROOT rather than using absolute MEDIA_ROOT directly.

    class UserProfilePhoto(Model):
    ....
    
     photo = ResizedImageField(size=[128, 128], 
           upload_to="user_photos/")
    ....
    

    Here the upload_to="user_photos/" tells Django to store uploaded images in a subdirectory called user_photos under the MEDIA_ROOT directory.