[英]Django SuspiciousOperation at /upload/ when uploading a file
[英]SuspiciousOperation when loading image in django
我正在django中部署Web應用程序,並且有一個頁面從我的靜態文件中加載了一些圖像,該頁面返回以下錯誤:
SuspiciousOperation at /wallet
Attempted access to '/coins/' denied.
我一直在讀,這是因為媒體文件,但是我不明白,因為所有其他靜態文件都正確加載。 我正在使用AWS的s3。
這是我的s3配置文件:
import datetime
import os
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
AWS_ACCESS_KEY_ID = "whatever"
AWS_SECRET_ACCESS_KEY = "whatever"
AWS_STORAGE_BUCKET_NAME = 'xxx'
AWS_S3_CUSTOM_DOMAIN = '%s.s3.us-east-2.amazonaws.com' % AWS_STORAGE_BUCKET_NAME
AWS_S3_OBJECT_PARAMETERS = {
'CacheControl': 'max-age=86400',
}
AWS_LOCATION = 'static'
STATICFILES_DIRS = [
os.path.join(BASE_DIR, '../static'),
]
STATIC_URL = 'https://%s/%s/' % (AWS_S3_CUSTOM_DOMAIN, AWS_LOCATION)
STATICFILES_STORAGE = 'storages.backends.s3boto3.S3Boto3Storage'
MEDIA_URL = ''
MEDIA_ROOT = ''
調試模式下的整個錯誤如下:
Environment:
Request Method: GET
Request URL: http://ip/wallet
Django Version: 2.0.5
Python Version: 3.6.6
Installed Applications:
['django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'profiles',
'portfolios',
'django_extensions',
'rest_framework',
'corsheaders',
'storages']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware']
Template error:
In template /home/ubuntu/chimpy/templates/base.html, error at line 54
Attempted access to '/coins/' denied.
44 : <div class="sidebar-user">
45 : {% load static %}
46 : {# <div class="sbuser-pic"><a href="/user"><img src="{% static 'batman-for-facebook.jpg' %}" alt="" class="sbuser-pic-image"></a></div>#}
47 : <div class="sbuser-welcome">
48 : <h4 class="sbuser-name">Hola {{ request.user }}</h4>
49 : </div>
50 : </div>
51 : <div class="sb-menu">
52 : <ul class="sb-ul">
53 : <li id="dashboard" class="{% if active == 'dashboard' %}active{% endif %}"><i class="fas fa-sitemap"></i>Panel</li>
54 : <li id="wallet" class="{% if active == 'wallet' %}a ctive{% endif %}"><i class="fas fa-coins"></i>Cartera</li>
55 : <li id="history" class="{% if active == 'history' %}active{% endif %}"><i class="fas fa-history"></i>Histórico</li>
56 : <li id="user" class="{% if active == 'settings' %}active{% endif %}"><i class="fas fa-cogs"></i>Ajustes</li>
57 : </ul>
58 : <ul id="responsive-menu">
59 : <li id="app-name"><a href="/dashboard">Suribit</a></li>
60 : <li id="blank-space"></li>
61 : <li id="hello">Hola {{ request.user }}</li>
62 : <li id="logout"><button class="logout" onclick="location.href = '/logout';"><i class="fas fa-power-off"></i> Desconectarse </button></li>
63 : {# make it a double button#}
64 : </ul>
Traceback:
File "/home/ubuntu/django_env/lib/python3.6/site-packages/storages/backends/s3boto3.py" in _normalize_name
377. return safe_join(self.location, name)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/storages/utils.py" in safe_join
79. raise ValueError('the joined path is located outside of the base path'
During handling of the above exception (the joined path is located outside of the base path component), another exception occurred:
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/core/handlers/exception.py" in inner
35. response = get_response(request)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
128. response = self.process_exception_by_middleware(e, request)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
126. response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/contrib/auth/decorators.py" in _wrapped_view
21. return view_func(request, *args, **kwargs)
File "/home/ubuntu/chimpy/portfolios/views.py" in portfolio_edit
149. 'user_lapse': user_lapse})
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/shortcuts.py" in render
36. content = loader.render_to_string(template_name, context, request, using=using)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/loader.py" in render_to_string
62. return template.render(context, request)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/backends/django.py" in render
61. return self.template.render(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render
175. return self._render(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in _render
167. return self.nodelist.render(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render
943. bit = node.render_annotated(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render_annotated
910. return self.render(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/loader_tags.py" in render
155. return compiled_parent._render(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in _render
167. return self.nodelist.render(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render
943. bit = node.render_annotated(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render_annotated
910. return self.render(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/loader_tags.py" in render
67. result = block.nodelist.render(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render
943. bit = node.render_annotated(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render_annotated
910. return self.render(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/templatetags/static.py" in render
106. url = self.url(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/templatetags/static.py" in url
103. return self.handle_simple(path)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/templatetags/static.py" in handle_simple
118. return staticfiles_storage.url(path)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/storages/backends/s3boto3.py" in url
561. name = self._normalize_name(self._clean_name(name))
File "/home/ubuntu/django_env/lib/python3.6/site-packages/storages/backends/s3boto3.py" in _normalize_name
380. name)
Exception Type: SuspiciousOperation at /wallet
Exception Value: Attempted access to '/coins/' denied.
非常感謝。
Django根據MEDIA_URL自動為媒體文件創建路徑,即/ media /
字段中的值不是以“ /”開頭,並且django認為它是可疑的值/操作,因為如果存在某些技巧,您/黑客應該可以使用系統文件。
嘗試通過Django shell或sql查詢將字段值從'/coins/abc.jpg'
'coins/abc.jpg'
手動更改為'coins/abc.jpg'
。
Django默認情況下在后一種模式中創建值
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.