在Django中加载图像时的SuspiciousOperation

时间:2018-08-31 01:00:23

标签: python django amazon-web-services amazon-s3 static

我正在django中部署一个Web应用程序,有一个页面从我的静态文件中加载了一些图像,并返回了以下错误:

SuspiciousOperation at /wallet
Attempted access to '/coins/' denied.

我一直在读这是因为媒体文件,但是我不理解它,因为所有其他静态文件都正确加载。我正在使用来自AWS的s3。

这是我的s3配置文件:

import datetime
import os
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
AWS_ACCESS_KEY_ID = "whatever"
AWS_SECRET_ACCESS_KEY = "whatever"
AWS_STORAGE_BUCKET_NAME = 'xxx'
AWS_S3_CUSTOM_DOMAIN = '%s.s3.us-east-2.amazonaws.com' % AWS_STORAGE_BUCKET_NAME
AWS_S3_OBJECT_PARAMETERS = {
    'CacheControl': 'max-age=86400',
}
AWS_LOCATION = 'static'

STATICFILES_DIRS = [
    os.path.join(BASE_DIR, '../static'),
]
STATIC_URL = 'https://%s/%s/' % (AWS_S3_CUSTOM_DOMAIN, AWS_LOCATION)
STATICFILES_STORAGE = 'storages.backends.s3boto3.S3Boto3Storage'
MEDIA_URL = ''
MEDIA_ROOT = ''

,调试模式下的整个错误如下:

Environment:


Request Method: GET
Request URL: http://ip/wallet

Django Version: 2.0.5
Python Version: 3.6.6
Installed Applications:
['django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'profiles',
 'portfolios',
 'django_extensions',
 'rest_framework',
 'corsheaders',
 'storages']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'corsheaders.middleware.CorsMiddleware',
 'django.middleware.common.CommonMiddleware']


Template error:
In template /home/ubuntu/chimpy/templates/base.html, error at line 54
   Attempted access to '/coins/' denied.
   44 : <div class="sidebar-user">
   45 :     {% load static %}
   46 :     {#        <div class="sbuser-pic"><a href="/user"><img src="{% static 'batman-for-facebook.jpg' %}" alt="" class="sbuser-pic-image"></a></div>#}
   47 :     <div class="sbuser-welcome">
   48 :         <h4 class="sbuser-name">Hola {{ request.user }}</h4>
   49 :     </div>
   50 : </div>
   51 : <div class="sb-menu">
   52 :     <ul class="sb-ul">
   53 :         <li id="dashboard" class="{% if active == 'dashboard' %}active{% endif %}"><i class="fas fa-sitemap"></i>Panel</li>
   54 :         <li id="wallet" class="{% if  active == 'wallet' %}a ctive{% endif %}"><i class="fas fa-coins"></i>Cartera</li>
   55 :         <li id="history" class="{% if active == 'history' %}active{% endif %}"><i class="fas fa-history"></i>Histórico</li>
   56 :         <li id="user" class="{% if active == 'settings' %}active{% endif %}"><i class="fas fa-cogs"></i>Ajustes</li>
   57 :     </ul>
   58 :     <ul id="responsive-menu">
   59 :         <li id="app-name"><a href="/dashboard">Suribit</a></li>
   60 :         <li id="blank-space"></li>
   61 :         <li id="hello">Hola {{ request.user }}</li>
   62 :         <li id="logout"><button class="logout" onclick="location.href = '/logout';"><i class="fas fa-power-off"></i> Desconectarse </button></li>
   63 : {#        make it a double button#}
   64 :     </ul>


Traceback:

File "/home/ubuntu/django_env/lib/python3.6/site-packages/storages/backends/s3boto3.py" in _normalize_name
  377.             return safe_join(self.location, name)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/storages/utils.py" in safe_join
  79.         raise ValueError('the joined path is located outside of the base path'

During handling of the above exception (the joined path is located outside of the base path component), another exception occurred:

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/core/handlers/exception.py" in inner
  35.             response = get_response(request)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
  128.                 response = self.process_exception_by_middleware(e, request)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
  126.                 response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/contrib/auth/decorators.py" in _wrapped_view
  21.                 return view_func(request, *args, **kwargs)

File "/home/ubuntu/chimpy/portfolios/views.py" in portfolio_edit
  149.                        'user_lapse': user_lapse})

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/shortcuts.py" in render
  36.     content = loader.render_to_string(template_name, context, request, using=using)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/loader.py" in render_to_string
  62.     return template.render(context, request)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/backends/django.py" in render
  61.             return self.template.render(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render
  175.                     return self._render(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in _render
  167.         return self.nodelist.render(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render
  943.                 bit = node.render_annotated(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render_annotated
  910.             return self.render(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/loader_tags.py" in render
  155.             return compiled_parent._render(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in _render
  167.         return self.nodelist.render(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render
  943.                 bit = node.render_annotated(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render_annotated
  910.             return self.render(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/loader_tags.py" in render
  67.                 result = block.nodelist.render(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render
  943.                 bit = node.render_annotated(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render_annotated
  910.             return self.render(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/templatetags/static.py" in render
  106.         url = self.url(context)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/templatetags/static.py" in url
  103.         return self.handle_simple(path)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/templatetags/static.py" in handle_simple
  118.             return staticfiles_storage.url(path)

File "/home/ubuntu/django_env/lib/python3.6/site-packages/storages/backends/s3boto3.py" in url
  561.         name = self._normalize_name(self._clean_name(name))

File "/home/ubuntu/django_env/lib/python3.6/site-packages/storages/backends/s3boto3.py" in _normalize_name
  380.                                       name)

Exception Type: SuspiciousOperation at /wallet
Exception Value: Attempted access to '/coins/' denied.

非常感谢。

1 个答案:

答案 0 :(得分:2)

Django自动为媒体文件创建路径 基于MEDIA_URL,即/ media /

该字段中的值不是以“ /”开头,并且django认为它是可疑的值/操作,因为如果存在某些技巧,您/黑客应该可以使用系统文件。

尝试通过django shell或sql查询将字段值从'/coins/abc.jpg'更改为'coins/abc.jpg'

Django默认情况下以后一种模式创建值

相关问题
最新问题