New behaviour of S3 storage exists() breaks current workflow
#1430
Comments
violuke
changed the title
|
Thanks for posting. The reason I made this change was two-fold:
I'm not surprised people were relying on the previous behavior and I frankly find the Django documentation bizarre but I feel a slight bit paralyzed. |
jschneier
changed the title
exists() breaks current workflow
|
Sorry, I am not versatile enough to get the full picture of the security issue. |
Before the upstream fix, yes. Now that Django has patched, no. The issue, in short, is that if the Storage overrides Also, I still provide support for unsupported versions of Django (though they will be dropped shortly) which did not get the patch. |
|
The corresponding fix in Django: django/django@fe4a0bb |
|
Okay, thanks for the explanation of the vulnerability. Am I correct in assuming that one of following solutions would work?
|
|
If the fix in Django is there then the following I think is fine because we are no longer relying on def get_available_name(self, name, max_length=None):
# TODO: something with max_length?
if self.file_overwrite:
return name
return super().get_available_name(name, max_length=max_length) |
|
Thanks everyone for the comments and time spent on this 🙏 I think I understand the reasoning behind the change originally, and we don't want a security issue, of course, but I personally feel that this should be reverted (or partially, at least). In my opinion, it's a bug of this package that I can create a file, then call If people are bothered about having security fixes (which they should be) then they should be updating this package and Django. If they don't do updates properly and continue to use old versions of this package and/or Django, then that's their (ill-advised) choice. If this change is reverted, then my thinking is that they have the security risk because they haven't also updated Django, as the fix is in Django and as long as they use the latest patch release of a supported version, they'll have the security fix. How do others feel about this logic? Thank you. |
|
Yeah, the documentation is a bit confusing:
It's not clear what should happen when a file referenced by the given name already exists and the name is available for a new file. I suppose I'd lean toward emulating whatever happens with a local filesystem, and maybe issue a warning if the user is using an unpatched version of Django. Another solution would be to add a I'd be happy to try making a contribution of either of these fixes. |
|
I just stumbled over this issue too, so I'm also a bit late to the changes in Django, which I'm not real fan of. I think the basic "exists" operation of a storage class should return exactly that information. But since this change is now part of Django too, I think the best option is to also set We're using wagtail a lot and setting file_overwrite to False is actually required there (see docs), but we've missed it for some other usages... So this default now seems to be the safer option, also because its analog to Django's handling. |
|
I think we should probably open a bug with Django. If someone has the time, please also to link to this issue. |
|
Good idea, done: https://code.djangoproject.com/ticket/35604 |
|
Thank you all for this discussion 👍 From what I understand, #1422 is motivated by django/django@0b33a3a. However, after the security release to Django, having The "side question" is "what does
Given the engagement on this discussion around what This is roughly my conclusion 👍 I will also write on the ticket So, in short, I hear you and will work on this. |
|
Hi all, I also attempted to upgrade to 1.14.4 and, as well, was hit by: django-storages/storages/backends/s3.py Lines 582 to 583 in e74f29b For us, this behavior based on variable naming is quite confusing because we want both Doubt it matters, but our use case is uploading compiled web assets to S3. I'm reading this thread and am very confused (I understand a lot of people are). At the root, is unintuitive that |
|
Given the way Django is moving there will be another release that partially undoes this change. |
The overwrite_files is True by default, and should be settable from the django settings using AZURE_OVERWRITE_FILES. Removing this override will keep the default behaviour (True), while still allowing users to change it. NOTE: this change is important because django / django-storages changed the semantics of the .exists() function, which now returns whether a path is free for upload (and not whether the file already exists on the remote storage). With overwrite_files set to True, .exists() will now always return False. See jschneier/django-storages#1430
The overwrite_files is True by default, and should be settable from the django settings using AZURE_OVERWRITE_FILES. Removing this override will keep the default behaviour (True), while still allowing users to change it. NOTE: this change is important because django / django-storages changed the semantics of the .exists() function, which now returns whether a path is free for upload (and not whether the file already exists on the remote storage). With overwrite_files set to True, .exists() will now always return False. See jschneier/django-storages#1430
|
Seconding the opinion that this should have been included in the changelog. We had this commit break the functionality of our app unexpectedly |
|
This change breaks the |
|
django/django@8d6a20b just landed in Django I want to thank @jschneier for all his work on the recent Django improvements and security release. |
The overwrite_files is True by default, and should be settable from the django settings using AZURE_OVERWRITE_FILES. Removing this override will keep the default behaviour (True), while still allowing users to change it. NOTE: this change is important because django / django-storages changed the semantics of the .exists() function, which now returns whether a path is free for upload (and not whether the file already exists on the remote storage). With overwrite_files set to True, .exists() will now always return False. See jschneier/django-storages#1430
In version 1.14.4 there are at least two modifications made that lead to a breaking change in Marsha. The most annoying one is linked to this issue: jschneier/django-storages#1430 and we have to wait a newer version with a fix to have the previous behaviour. This fix is related to a security issue in django. This security is fixed in version 4.2.14 and we already use this version, so we are safe. The second one is related to how the signature in computed when an url is generated. Previously the signature was generated no matter if we need it or not and then we choose to remove the signautre part using the private method `_strip_signing_parameters`. This private does not exists anymore, instead a new setting is used, we have to set the setting `querystring_auth` to False to not compute the signature, it's real improvement as it saves the cost of computing the signature.
|
In version 1.14.4 there is one modification made that lead to a breaking change in Joanie as explain in jschneier/django-storages#1430. We have to wait a newer version with a fix to have the previous behaviour. This fix is related to a security issue in django. This security is fixed in version 4.2.14, and we already use this version, so we are safe.
In version 1.14.4 there is one modification made that lead to a breaking change in Joanie as explain in jschneier/django-storages#1430. We have to wait a newer version with a fix to have the previous behaviour. This fix is related to a security issue in django. This security is fixed in version 4.2.14, and we already use this version, so we are safe.
|
Hello guys, i am updating django from 3.0.14 to 3.2.25. |
|
So I hit this week because it broke our APIs, and unfortunately spent a couple hours trying to figure out why this broke. I feel like this should have been a version bump to 1.15.0 with a warning emitted to the logs about this at a minimum when the return False is hit, or maybe raise an exception instead. Errors shouldn't really fail silently unless explicitly silenced. Further we're still on 1.14.4 with this behavior still even though Django 5.0.7 is out. Could you check the version of django using A lot of people are pinning the older version of django-storages which seems bad if there's a security hole. |
|
Maybe the new S3 Put-If-Match will help with overwrites: |
|
.exists should simply check if the file exists. allow_overwrite has absolutely nothing to do with whether a file exists. This is a straight forward bug. allow_overwrite should only impact methods writing the file. whoever merged that exists implementation should be more mindful. |
@sarahboyce does this mean that this issue can be closed? since that commit has been released in django 5.2a1, when we upgrade to django 5.2 we can also use django-storages 1.14.4? |
As someone who has also been impacted by this, I think the behavior of the S3 |
This is also my understanding. 5.1 already has the fix from Django's end 👍 |
|
Hey there, |
|
Work around: from botocore.exceptions import ClientError
from storages.backends.s3 import S3Storage
class FixedS3Storage(S3Storage):
"""
Custom S3Storage class that fixes the exists() bug in django-storages 1.14.4.
The bug causes exists() to return False for files that do in fact exist.
See: https://github.com/jschneier/django-storages/issues/1430
"""
def exists(self, name):
try:
self.connection.meta.client.head_object(
Bucket=self.bucket_name,
Key=self._normalize_name(self._clean_name(name)),
)
return True
except ClientError as err:
if err.response["ResponseMetadata"]["HTTPStatusCode"] == 404:
return False
# Some other error was encountered. Re-raise it.
raise
(now fixed to match django-storages function thanks to @ddelange pointer) |
|
@brycedrennan good pointer! To avoid a blind from botocore.exceptions import ClientError
from storages.backends.s3 import S3Storage
class FixedS3Storage(S3Storage):
"""
Custom S3Storage class that fixes the exists() bug in django-storages 1.14.4.
The bug causes exists() to return False for files that do in fact exist.
See: https://github.com/jschneier/django-storages/issues/1430
"""
def exists(self, name):
try:
self.connection.meta.client.head_object(
Bucket=self.bucket_name,
Key=self._normalize_name(self._clean_name(name)),
)
except ClientError as exc:
if exc.response.get("ResponseMetadata", {}).get("HTTPStatusCode") == 404:
return False
else:
raise
else:
return True |
|
You are correct. I should never trust an LLM to do a copy/paste (like I told it to). I intended to have it perfectly match source but with slight modification. Here is the source code it was supposed to mostly copy: django-storages/storages/backends/s3.py Lines 581 to 594 in b79ea31 |
|
So what's the plan here? |
|
@koleror I think most people have pinned the django-storages at a non-borked version if they need that function to work. I think a better approach would have been a settings config which needed an override if you really want that behavior. And then it would be your decision. I hope the devs take that approach in the future, as it broke us, and it wasn't clear in the Changelog that exists() was broken. |
|
Yes, of course, I followed the same approach as I think most people, which is fine for now because we're basically skipping only one version. But this can't stay like this for very long. At some point, there might be some compatibility issues with other packages or even python versions that would probably be handled in newer versions. |
The plan is that I wait for someone to provide a good PR that fixes the issue. I am happy to accept such a fix and the lack of it is why I haven't released a new version. I'm unlikely to do the work myself in the near-term future though. I also don't feel comfortable shipping a version that leaves the minor security issue I reported. Time will solve that problem eventually but I agree it's not ideal to wait. |
|
I appreciate the effort that you've put into this project. But on the other hand it broke us in production. And there wasn't anything in the changelog about why the behavior was changed. It was very frustrating on a Friday afternoon last year when an api wasn't working in production to find out that it was broken on purpose. First it's not your issue, it's django's issue to fix. This maybe a poor analogy but we don't shut down the internet because MacOS suddenly has a vulnerability. It's Apple's job to fix it for their devices. Second, everyone here is all grown adults. We can make informed choices. If this is a "minor" issue, why did you make the major change without a major version bump? |
Yes, completely understand the frustration, and my apologies about that.
I get your point but Apple can also proactively push & inform about fixes. It's honestly heartening that people are upgrading as much as they are. Part of the pickle I've gotten myself into here is that I want to drop older versions of Django but also want to fix this problem first.
I made this change because that was what the upstream maintainers of Django decided was meant by the API contract. Thankfully, users of this package were able to convince them that it was the wrong decision and they updated again to the less-surprising definition before releasing because I made the change (I did try myself beforehand). |
|
Fix for this is out, thanks for your patience. |
Since upgrading from 1.14.3 to 1.14.4, we're having a problem with this code:
On 1.14.3, I get the "All good!" print but with 1.14.4, I get the Exception.
Django 5.0.6.
I suspect this is a problem with #1381edit: see belowI've downgraded again for now, but any help would be much appreciated. Thanks to everyone involved for a really helpful package 🙏
The text was updated successfully, but these errors were encountered: