SuspiciousOperation: Suspicious file path in upload
SuspiciousOperation: suspicious file upload path
$ curl -F "file=@/etc/passwd" http://localhost:8000/upload/
HTTP/1.1 400 Bad RequestWhy this happens
User-supplied filenames include .. or absolute paths; storage backends reject unsafe paths.
Fix
Sanitize filenames with FileField.upload_to and default storages; never trust client filenames.
Wrong code
f = request.FILES['file']
path = '/uploads/' + f.name # unsafeFixed code
class Doc(models.Model):
file = models.FileField(upload_to='docs/')
# Django storage sanitizes names