#Suspicious File Operation

Hi, I have a problem. How do I need to save the file with custom name at custom path?
With this

default_storage.save(os.path.join(MEMES_DIR, meme_name), meme_file)

I have error about Suspicious File operation - path traversal attempt.

Its saying that the file uploaded has attempted path traversal. What was the file?

jpg

Can you try a different jpg file?

Already tried it.

And?

Same error

Can you share a screenshot?

of error?

Yeah

And the jpg file too

jpg and error
https://prnt.sc/ftv6QLUomFuh
https://prnt.sc/Zyl7g6Y0uuiE

Do you have any idea?

Try this https://stackoverflow.com/a/52987264/1431104

Hmm. How can i choose folder? Or it's default media root from settings?

You could pass the folder name in

https://stackoverflow.com/a/49554014/1431104

Pointing to a different answer

Yeah thank you. Now I'm going to go look for the answer to why two files are created instead of one. The first one has the name I specified, and the second one has random characters added.

That's weird. Can you share a screenshot of the 2 files and your code?

Are they the same files?

yep

https://prnt.sc/BJMW26nsJkUm Code
https://prnt.sc/mEbkpPSe2xMa Files

https://prnt.sc/4feSjyRs5hqp Full code of this element if needed

I have searched the whole runet and englishnet, but found no information about the two files that are created

@glossy flicker Did you find anything?

Sorry I was busy. Can you share the entire views function code? Preferably as text instead of a screenshot

Its possible that you're saving it twice

I was told the same thing in another chat room. Here is the entire code for this endpoint
https://dpaste.org/KhYZA

Looks like it's been changed. Did it get fixed?

Oh you about
#sss = default_storage.save(meme_name, meme_file)
default_storage.open(meme_name, "wb").write(meme_bytes)
?

No, I'm still trying to fix it

Are you there?

sorry I have no clue

Please stop sharing code as pictures, see #readme-1st for formatting

Why are you directly calling storage? You probably saving twice

so it automatically adds a hash or random string suffix

Because docs saying that?

And no, i'm saving only once

I sent it that way because it was requested

😦

No you don't need normally to do that

Still against server rules

Okay, well, I found the reason for the double save. But now I don't really understand how it should look like.
In the doc it was written in small text close to the background color in the code comment that this method File creates a file. How can I replace this method?

    def add_meme_to_checklist(author_id, filename, photo_hash):
        with open(os.path.join(settings.BASE_DIR, "memes", filename), "rb") as meme:
            MemeCheck(author_id=author_id, filename=filename, photo_hash=photo_hash, photo=File(meme)).save()
        return True, 201

What kind of method it is and why you need ita tll

And why are you opening something in base dir, you are not uploading a file?

Method File -> photo=File(meme)
I need it because without it I can't add image normally to model.

Yes, you can

Unless I'm missing important catch in what you are trying to do you seem to trying to force some strange way to do a simple thing

You don't need methods, and you don't need interaction with storage

Forms do everything for you

If you are reading files instead of uploading - then it's a different case

What do you mean? I'm opening created file. Before using default_storage I was using basic

with open(os.path.join(...) as f:
f.write(meme_bytes)

I get on request in form-data file. I save it with a randomly generated name to a folder. I read it from that folder.

You reading it? Why reading it?

Also reading it should be obj.file.read() or something like that?

Good question. Probably to ensure the integrity of the saved file. There's a lot of interaction that goes on with it.

But in order to read a file, you have to open it first, right?

mmm, yeah, right so obj.file.open() FIleField already knows how to interact with it

Okay. What is obj? How I need to add this code?

What i need to write instead of this piece

        with open(os.path.join(settings.BASE_DIR, "memes", filename), "rb") as meme:
            MemeCheck(author_id=author_id, filename=filename, photo_hash=photo_hash, photo=File(meme)).save()
```?

I don't know what this code supposed to do in the first place. What is MemeCheck class?

If you are uploading a file code be like

form = MyUploadForm(request.POST, request.FILES)
of form.is_valid():
    form.save()

and if you need to calculate hash, it go into the form or before the form.save()

I was told the right way to do it in another chat, but thank you so much for your help as well. Here's the solution

    def add_meme_to_checklist(author_id, filename, photo_hash):
        MemeCheck(author_id=author_id, filename=filename, photo_hash=photo_hash,
                  photo=os.path.join(settings.MEDIA_ROOT, filename)).save()
        return True, 201

I still don't know to do what

Perhaps the translator misrepresented what I meant by form-data. This is the type of data that is being transported in an HTTP request
https://prnt.sc/8OrIQBaJIPGK

When you are submitting a form, there is only one right way to process it - with django.form class (or serializer in libs like DRF)

Other methods may seem to work,but usually a quick way to disaster

So without bigger picture I can't tell. Maybe it's OK, maybe fundamentally wrong

hm. on other hand, if photo is an ImageField, joining MEDIA_ROOT here is wrong