我在 Django 中部署一个 Web 应用程序,有一个页面从我的静态文件加载一些图像,该页面返回以下错误:
SuspiciousOperation at /wallet
Attempted access to '/coins/' denied.
我一直在读到这是因为媒体文件,但我不明白它是因为所有其他静态文件都正确加载。我正在使用来自 aws 的 s3。
这是我的 s3 配置文件:
import datetime
import os
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
AWS_ACCESS_KEY_ID = "whatever"
AWS_SECRET_ACCESS_KEY = "whatever"
AWS_STORAGE_BUCKET_NAME = 'xxx'
AWS_S3_CUSTOM_DOMAIN = '%s.s3.us-east-2.amazonaws.com' % AWS_STORAGE_BUCKET_NAME
AWS_S3_OBJECT_PARAMETERS = {
'CacheControl': 'max-age=86400',
}
AWS_LOCATION = 'static'
STATICFILES_DIRS = [
os.path.join(BASE_DIR, '../static'),
]
STATIC_URL = 'https://%s/%s/' % (AWS_S3_CUSTOM_DOMAIN, AWS_LOCATION)
STATICFILES_STORAGE = 'storages.backends.s3boto3.S3Boto3Storage'
MEDIA_URL = ''
MEDIA_ROOT = ''
Debug模式下的整个错误如下:
Environment:
Request Method: GET
Request URL: http://ip/wallet
Django Version: 2.0.5
Python Version: 3.6.6
Installed Applications:
['django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'profiles',
'portfolios',
'django_extensions',
'rest_framework',
'corsheaders',
'storages']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware']
Template error:
In template /home/ubuntu/chimpy/templates/base.html, error at line 54
Attempted access to '/coins/' denied.
44 : <div class="sidebar-user">
45 : {% load static %}
46 : {# <div class="sbuser-pic"><a href="/user"><img src="{% static 'batman-for-facebook.jpg' %}" alt="" class="sbuser-pic-image"></a></div>#}
47 : <div class="sbuser-welcome">
48 : <h4 class="sbuser-name">Hola {{ request.user }}</h4>
49 : </div>
50 : </div>
51 : <div class="sb-menu">
52 : <ul class="sb-ul">
53 : <li id="dashboard" class="{% if active == 'dashboard' %}active{% endif %}"><i class="fas fa-sitemap"></i>Panel</li>
54 : <li id="wallet" class="{% if active == 'wallet' %}a ctive{% endif %}"><i class="fas fa-coins"></i>Cartera</li>
55 : <li id="history" class="{% if active == 'history' %}active{% endif %}"><i class="fas fa-history"></i>Histórico</li>
56 : <li id="user" class="{% if active == 'settings' %}active{% endif %}"><i class="fas fa-cogs"></i>Ajustes</li>
57 : </ul>
58 : <ul id="responsive-menu">
59 : <li id="app-name"><a href="/dashboard">Suribit</a></li>
60 : <li id="blank-space"></li>
61 : <li id="hello">Hola {{ request.user }}</li>
62 : <li id="logout"><button class="logout" onclick="location.href = '/logout';"><i class="fas fa-power-off"></i> Desconectarse </button></li>
63 : {# make it a double button#}
64 : </ul>
Traceback:
File "/home/ubuntu/django_env/lib/python3.6/site-packages/storages/backends/s3boto3.py" in _normalize_name
377. return safe_join(self.location, name)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/storages/utils.py" in safe_join
79. raise ValueError('the joined path is located outside of the base path'
During handling of the above exception (the joined path is located outside of the base path component), another exception occurred:
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/core/handlers/exception.py" in inner
35. response = get_response(request)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
128. response = self.process_exception_by_middleware(e, request)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
126. response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/contrib/auth/decorators.py" in _wrapped_view
21. return view_func(request, *args, **kwargs)
File "/home/ubuntu/chimpy/portfolios/views.py" in portfolio_edit
149. 'user_lapse': user_lapse})
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/shortcuts.py" in render
36. content = loader.render_to_string(template_name, context, request, using=using)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/loader.py" in render_to_string
62. return template.render(context, request)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/backends/django.py" in render
61. return self.template.render(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render
175. return self._render(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in _render
167. return self.nodelist.render(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render
943. bit = node.render_annotated(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render_annotated
910. return self.render(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/loader_tags.py" in render
155. return compiled_parent._render(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in _render
167. return self.nodelist.render(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render
943. bit = node.render_annotated(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render_annotated
910. return self.render(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/loader_tags.py" in render
67. result = block.nodelist.render(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render
943. bit = node.render_annotated(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/template/base.py" in render_annotated
910. return self.render(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/templatetags/static.py" in render
106. url = self.url(context)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/templatetags/static.py" in url
103. return self.handle_simple(path)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/django/templatetags/static.py" in handle_simple
118. return staticfiles_storage.url(path)
File "/home/ubuntu/django_env/lib/python3.6/site-packages/storages/backends/s3boto3.py" in url
561. name = self._normalize_name(self._clean_name(name))
File "/home/ubuntu/django_env/lib/python3.6/site-packages/storages/backends/s3boto3.py" in _normalize_name
380. name)
Exception Type: SuspiciousOperation at /wallet
Exception Value: Attempted access to '/coins/' denied.
非常感谢。
最佳答案
Django 自动为媒体文件创建路径 基于 MEDIA_URL 即/media/
该字段中的值不以“/”开头,django 将其视为可疑值/操作,因为如果它存在某些技巧,您/黑客应该能够访问系统文件。
尝试将字段值从 '/coins/abc.jpg'
更改为只是'coins/abc.jpg'
手动通过 django shell 或 sql 查询。
默认情况下,Django 以后一种模式创建值
关于python - 在 Django 中加载图像时的可疑操作,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/52107184/