-
-
Notifications
You must be signed in to change notification settings - Fork 868
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New behaviour of S3 storage exists()
breaks current workflow
#1430
Comments
Thanks for posting. The reason I made this change was two-fold:
I'm not surprised people were relying on the previous behavior and I frankly find the Django documentation bizarre but I feel a slight bit paralyzed. |
exists()
breaks current workflow
Sorry, I am not versatile enough to get the full picture of the security issue. |
Before the upstream fix, yes. Now that Django has patched, no. The issue, in short, is that if the Storage overrides Also, I still provide support for unsupported versions of Django (though they will be dropped shortly) which did not get the patch. |
The corresponding fix in Django: django/django@fe4a0bb |
Okay, thanks for the explanation of the vulnerability. Am I correct in assuming that one of following solutions would work?
|
If the fix in Django is there then the following I think is fine because we are no longer relying on def get_available_name(self, name, max_length=None):
# TODO: something with max_length?
if self.file_overwrite:
return name
return super().get_available_name(name, max_length=max_length) |
Thanks everyone for the comments and time spent on this 🙏 I think I understand the reasoning behind the change originally, and we don't want a security issue, of course, but I personally feel that this should be reverted (or partially, at least). In my opinion, it's a bug of this package that I can create a file, then call If people are bothered about having security fixes (which they should be) then they should be updating this package and Django. If they don't do updates properly and continue to use old versions of this package and/or Django, then that's their (ill-advised) choice. If this change is reverted, then my thinking is that they have the security risk because they haven't also updated Django, as the fix is in Django and as long as they use the latest patch release of a supported version, they'll have the security fix. How do others feel about this logic? Thank you. |
Yeah, the documentation is a bit confusing:
It's not clear what should happen when a file referenced by the given name already exists and the name is available for a new file. I suppose I'd lean toward emulating whatever happens with a local filesystem, and maybe issue a warning if the user is using an unpatched version of Django. Another solution would be to add a I'd be happy to try making a contribution of either of these fixes. |
I just stumbled over this issue too, so I'm also a bit late to the changes in Django, which I'm not real fan of. I think the basic "exists" operation of a storage class should return exactly that information. But since this change is now part of Django too, I think the best option is to also set We're using wagtail a lot and setting file_overwrite to False is actually required there (see docs), but we've missed it for some other usages... So this default now seems to be the safer option, also because its analog to Django's handling. |
I think we should probably open a bug with Django. If someone has the time, please also to link to this issue. |
Good idea, done: https://code.djangoproject.com/ticket/35604 |
Thank you all for this discussion 👍 From what I understand, #1422 is motivated by django/django@0b33a3a. However, after the security release to Django, having The "side question" is "what does
Given the engagement on this discussion around what This is roughly my conclusion 👍 I will also write on the ticket So, in short, I hear you and will work on this. |
Hi all, I also attempted to upgrade to 1.14.4 and, as well, was hit by: django-storages/storages/backends/s3.py Lines 582 to 583 in e74f29b
For us, this behavior based on variable naming is quite confusing because we want both Doubt it matters, but our use case is uploading compiled web assets to S3. I'm reading this thread and am very confused (I understand a lot of people are). At the root, is unintuitive that |
Given the way Django is moving there will be another release that partially undoes this change. |
The overwrite_files is True by default, and should be settable from the django settings using AZURE_OVERWRITE_FILES. Removing this override will keep the default behaviour (True), while still allowing users to change it. NOTE: this change is important because django / django-storages changed the semantics of the .exists() function, which now returns whether a path is free for upload (and not whether the file already exists on the remote storage). With overwrite_files set to True, .exists() will now always return False. See jschneier/django-storages#1430
The overwrite_files is True by default, and should be settable from the django settings using AZURE_OVERWRITE_FILES. Removing this override will keep the default behaviour (True), while still allowing users to change it. NOTE: this change is important because django / django-storages changed the semantics of the .exists() function, which now returns whether a path is free for upload (and not whether the file already exists on the remote storage). With overwrite_files set to True, .exists() will now always return False. See jschneier/django-storages#1430
Seconding the opinion that this should have been included in the changelog. We had this commit break the functionality of our app unexpectedly |
This change breaks the |
django/django@8d6a20b just landed in Django I want to thank @jschneier for all his work on the recent Django improvements and security release. |
The overwrite_files is True by default, and should be settable from the django settings using AZURE_OVERWRITE_FILES. Removing this override will keep the default behaviour (True), while still allowing users to change it. NOTE: this change is important because django / django-storages changed the semantics of the .exists() function, which now returns whether a path is free for upload (and not whether the file already exists on the remote storage). With overwrite_files set to True, .exists() will now always return False. See jschneier/django-storages#1430
In version 1.14.4 there are at least two modifications made that lead to a breaking change in Marsha. The most annoying one is linked to this issue: jschneier/django-storages#1430 and we have to wait a newer version with a fix to have the previous behaviour. This fix is related to a security issue in django. This security is fixed in version 4.2.14 and we already use this version, so we are safe. The second one is related to how the signature in computed when an url is generated. Previously the signature was generated no matter if we need it or not and then we choose to remove the signautre part using the private method `_strip_signing_parameters`. This private does not exists anymore, instead a new setting is used, we have to set the setting `querystring_auth` to False to not compute the signature, it's real improvement as it saves the cost of computing the signature.
In version 1.14.4 there are at least two modifications made that lead to a breaking change in Marsha. The most annoying one is linked to this issue: jschneier/django-storages#1430 and we have to wait a newer version with a fix to have the previous behaviour. This fix is related to a security issue in django. This security is fixed in version 4.2.14 and we already use this version, so we are safe. The second one is related to how the signature in computed when an url is generated. Previously the signature was generated no matter if we need it or not and then we choose to remove the signautre part using the private method `_strip_signing_parameters`. This private does not exists anymore, instead a new setting is used, we have to set the setting `querystring_auth` to False to not compute the signature, it's real improvement as it saves the cost of computing the signature.
In version 1.14.4 there are at least two modifications made that lead to a breaking change in Marsha. The most annoying one is linked to this issue: jschneier/django-storages#1430 and we have to wait a newer version with a fix to have the previous behaviour. This fix is related to a security issue in django. This security is fixed in version 4.2.14 and we already use this version, so we are safe. The second one is related to how the signature in computed when an url is generated. Previously the signature was generated no matter if we need it or not and then we choose to remove the signautre part using the private method `_strip_signing_parameters`. This private does not exists anymore, instead a new setting is used, we have to set the setting `querystring_auth` to False to not compute the signature, it's real improvement as it saves the cost of computing the signature.
In version 1.14.4 there are at least two modifications made that lead to a breaking change in Marsha. The most annoying one is linked to this issue: jschneier/django-storages#1430 and we have to wait a newer version with a fix to have the previous behaviour. This fix is related to a security issue in django. This security is fixed in version 4.2.14 and we already use this version, so we are safe. The second one is related to how the signature in computed when an url is generated. Previously the signature was generated no matter if we need it or not and then we choose to remove the signautre part using the private method `_strip_signing_parameters`. This private does not exists anymore, instead a new setting is used, we have to set the setting `querystring_auth` to False to not compute the signature, it's real improvement as it saves the cost of computing the signature.
In version 1.14.4 there are at least two modifications made that lead to a breaking change in Marsha. The most annoying one is linked to this issue: jschneier/django-storages#1430 and we have to wait a newer version with a fix to have the previous behaviour. This fix is related to a security issue in django. This security is fixed in version 4.2.14 and we already use this version, so we are safe. The second one is related to how the signature in computed when an url is generated. Previously the signature was generated no matter if we need it or not and then we choose to remove the signautre part using the private method `_strip_signing_parameters`. This private does not exists anymore, instead a new setting is used, we have to set the setting `querystring_auth` to False to not compute the signature, it's real improvement as it saves the cost of computing the signature.
In version 1.14.4 there are at least two modifications made that lead to a breaking change in Marsha. The most annoying one is linked to this issue: jschneier/django-storages#1430 and we have to wait a newer version with a fix to have the previous behaviour. This fix is related to a security issue in django. This security is fixed in version 4.2.14 and we already use this version, so we are safe. The second one is related to how the signature in computed when an url is generated. Previously the signature was generated no matter if we need it or not and then we choose to remove the signautre part using the private method `_strip_signing_parameters`. This private does not exists anymore, instead a new setting is used, we have to set the setting `querystring_auth` to False to not compute the signature, it's real improvement as it saves the cost of computing the signature.
|
In version 1.14.4 there is one modification made that lead to a breaking change in Joanie as explain in jschneier/django-storages#1430. We have to wait a newer version with a fix to have the previous behaviour. This fix is related to a security issue in django. This security is fixed in version 4.2.14, and we already use this version, so we are safe.
In version 1.14.4 there is one modification made that lead to a breaking change in Joanie as explain in jschneier/django-storages#1430. We have to wait a newer version with a fix to have the previous behaviour. This fix is related to a security issue in django. This security is fixed in version 4.2.14, and we already use this version, so we are safe.
Hello guys, i am updating django from 3.0.14 to 3.2.25. |
So I hit this week because it broke our APIs, and unfortunately spent a couple hours trying to figure out why this broke. I feel like this should have been a version bump to 1.15.0 with a warning emitted to the logs about this at a minimum when the return False is hit, or maybe raise an exception instead. Errors shouldn't really fail silently unless explicitly silenced. Further we're still on 1.14.4 with this behavior still even though Django 5.0.7 is out. Could you check the version of django using A lot of people are pinning the older version of django-storages which seems bad if there's a security hole. |
Maybe the new S3 Put-If-Match will help with overwrites: |
Since upgrading from 1.14.3 to 1.14.4, we're having a problem with this code:
On 1.14.3, I get the "All good!" print but with 1.14.4, I get the Exception.
Django 5.0.6.
I suspect this is a problem with #1381edit: see belowI've downgraded again for now, but any help would be much appreciated. Thanks to everyone involved for a really helpful package 🙏
The text was updated successfully, but these errors were encountered: