我们从Python开源项目中,提取了以下50个代码示例,用于说明如何使用django.core.exceptions.SuspiciousFileOperation()。
def get_template_sources(self, template_name, template_dirs=None): """ Return an Origin object pointing to an absolute path in each directory in template_dirs. For security reasons, if a path doesn't lie inside one of the template_dirs it is excluded from the result set. """ if not template_dirs: template_dirs = self.get_dirs() for template_dir in template_dirs: try: name = safe_join(template_dir, template_name) except SuspiciousFileOperation: # The joined path was located outside of this template_dir # (it might be inside another one, so this isn't fatal). continue yield Origin( name=name, template_name=template_name, loader=self, )
def get_upload_to(self, filename): folder_name = 'original_videos' filename = self.file.field.storage.get_valid_name(filename) max_length = self._meta.get_field('file').max_length # Truncate filename so it fits in the 100 character limit # https://code.djangoproject.com/ticket/9893 file_path = os.path.join(folder_name, filename) too_long = len(file_path) - max_length if too_long > 0: head, ext = os.path.splitext(filename) if too_long > len(head) + 1: raise SuspiciousFileOperation('File name can not be shortened to a safe length') filename = head[:-too_long] + ext file_path = os.path.join(folder_name, filename) return os.path.join(folder_name, filename)
def get_template_sources(self, template_name, template_dirs=None, app_label=None, model_name=None): """ Return an Origin object pointing to an absolute path in each directory in template_dirs. For security reasons, if a path doesn't lie inside one of the template_dirs it is excluded from the result set. Source: django.template.loaders.filesystem.Loader Hard override accepts app_label and model_name """ if not template_dirs: template_dirs = self.get_dirs(app_label=app_label, model_name=model_name) for template_dir in template_dirs: try: name = safe_join(template_dir, template_name) except SuspiciousFileOperation: # The joined path was located outside of this template_dir # (it might be inside another one, so this isn't fatal). continue yield Origin( name=name, template_name=template_name, loader=self, )
def _replace_includes(self, apibp): matches = re.findall(r'<!-- include\((.*)\) -->', apibp) for match in matches: include_path = safe_join(os.path.dirname(self.blueprint), match) if not self._is_whitelisted(include_path): raise SuspiciousFileOperation("extension not in whitelist") # recursively replace any includes in child files include_apibp = self._replace_includes( open(include_path, 'r').read()) apibp = apibp.replace( '<!-- include(' + match + ') -->', include_apibp) return apibp
def _get_available_name(self, name, max_length=None): dir_name, file_name = os.path.split(name) file_root, file_ext = os.path.splitext(file_name) while self.exists(name) or (max_length and len(name) > max_length): # file_ext includes the dot. name = os.path.join(dir_name, "%s_%s%s" % (file_root, get_random_string(7), file_ext)) if max_length is None: continue # Truncate file_root if max_length exceeded. truncation = len(name) - max_length if truncation > 0: file_root = file_root[:-truncation] # Entire file_root was truncated in attempt to find an available filename. if not file_root: raise SuspiciousFileOperation( 'Storage can not find an available filename for "%s". ' 'Please make sure that the corresponding file field ' 'allows sufficient "max_length".' % name ) name = os.path.join(dir_name, "%s_%s%s" % (file_root, get_random_string(7), file_ext)) return name
def get_template_sources(self, template_name): # If the cookie doesn't exist, set it to the default theme default_theme = get_default_theme() theme = getattr(_local, 'theme', default_theme) this_theme = find_theme(theme) # If the theme is not valid, check the default theme ... if not this_theme: this_theme = find_theme(get_default_theme()) # If the theme is still not valid, then move along ... # these aren't the templates you are looking for if not this_theme: pass try: if not template_name.startswith('/'): try: yield safe_join( 'openstack_dashboard', this_theme[2], 'templates', template_name ) except SuspiciousFileOperation: yield os.path.join( this_theme[2], 'templates', template_name ) except UnicodeDecodeError: # The template dir name wasn't valid UTF-8. raise except ValueError: # The joined path was located outside of template_dir. pass
def get_available_name(self, name, max_length=None): """ Returns a filename that's free on the target storage system, and available for new content to be written to. """ dir_name, file_name = os.path.split(name) file_root, file_ext = os.path.splitext(file_name) # If the filename already exists, add an underscore and a random 7 # character alphanumeric string (before the file extension, if one # exists) to the filename until the generated filename doesn't exist. # Truncate original name if required, so the new filename does not # exceed the max_length. while self.exists(name) or (max_length and len(name) > max_length): # file_ext includes the dot. name = os.path.join(dir_name, "%s_%s%s" % (file_root, get_random_string(7), file_ext)) if max_length is None: continue # Truncate file_root if max_length exceeded. truncation = len(name) - max_length if truncation > 0: file_root = file_root[:-truncation] # Entire file_root was truncated in attempt to find an available filename. if not file_root: raise SuspiciousFileOperation( 'Storage can not find an available filename for "%s". ' 'Please make sure that the corresponding file field ' 'allows sufficient "max_length".' % name ) name = os.path.join(dir_name, "%s_%s%s" % (file_root, get_random_string(7), file_ext)) return name
def safe_join(base, *paths): """ Joins one or more path components to the base path component intelligently. Returns a normalized, absolute version of the final path. The final path must be located inside of the base path component (otherwise a ValueError is raised). """ base = force_text(base) paths = [force_text(p) for p in paths] final_path = abspathu(join(base, *paths)) base_path = abspathu(base) # Ensure final_path starts with base_path (using normcase to ensure we # don't false-negative on case insensitive operating systems like Windows), # further, one of the following conditions must be true: # a) The next character is the path separator (to prevent conditions like # safe_join("/dir", "/../d")) # b) The final path must be the same as the base path. # c) The base path must be the most root path (meaning either "/" or "C:\\") if (not normcase(final_path).startswith(normcase(base_path + sep)) and normcase(final_path) != normcase(base_path) and dirname(normcase(base_path)) != normcase(base_path)): raise SuspiciousFileOperation( 'The joined path ({}) is located outside of the base path ' 'component ({})'.format(final_path, base_path)) return final_path
def _save(self, name, content): if not hasattr(content, 'seek'): raise SuspiciousFileOperation('The django-cockatiel backend can only deal with ' 'files that support seeking.') content.seek(0) sha1 = hashlib.sha1() while True: chunk = content.read(1024) if not chunk: break sha1.update(chunk) content.seek(0) def put(node): resp = requests.put(self._get_url(node, name), data=content, headers={ 'X-Content-SHA1': sha1.hexdigest() }, allow_redirects=False) resp.raise_for_status() return resp resp = self._retry(put) loc = resp.headers['Location'] if loc.startswith('/'): loc = loc[1:] return loc
def get_available_name(self, name, max_length=None): if max_length and len(name) + 41 > max_length: raise SuspiciousFileOperation( 'Storage can not find an available filename for "%s". ' 'Please make sure that the corresponding file field ' 'allows sufficient "max_length".' % name ) return name
def path(self, name): try: path = safe_join(self.location, name) except ValueError: raise SuspiciousFileOperation("Attempted access to '%s' denied." % name) return os.path.normpath(path)
def test_include_suspicious_outside_project_dir(self): with self.assertRaises(SuspiciousFileOperation): self.get_response('apiblueprint_view/tests/fixtures/suspicious.md')
def test_include_suspicious_not_in_whitelist(self): with self.settings(APIBP_INCLUDE_WHITELIST=['.apibp', '.json']): with self.assertRaises(SuspiciousFileOperation): self.get_response('apiblueprint_view/tests/fixtures/parent.md')
def get_template_sources(self, template_name, template_dirs=None): """ Returns the absolute paths to "template_name", when appended to each directory in "template_dirs". Any paths that don't lie inside one of the template dirs are excluded from the result set, for security reasons. """ if not template_dirs: template_dirs = get_app_template_dirs('templates') for template_dir in template_dirs: try: yield safe_join(template_dir, template_name) except SuspiciousFileOperation: # The joined path was located outside of this template_dir # (it might be inside another one, so this isn't fatal). pass
def get_template_sources(self, template_name, template_dirs=None): """ Returns the absolute paths to "template_name", when appended to each directory in "template_dirs". Any paths that don't lie inside one of the template dirs are excluded from the result set, for security reasons. """ if not template_dirs: template_dirs = self.engine.dirs for template_dir in template_dirs: try: yield safe_join(template_dir, template_name) except SuspiciousFileOperation: # The joined path was located outside of this template_dir # (it might be inside another one, so this isn't fatal). pass
