On Tue, 2007-04-24 at 21:06 +1200, Enrico de Klerk wrote:
> Hi there,
>
> I've noticed a possible race condition in django/db/models/base.py.
>
> When a file field is saved in the _save_FIELD_file function it first
> checks whether a file with the same name already exists, and then adds
> underscores to the filename until it generates a unique name and then
> saves the file.
>
> # If the filename already exists, keep adding an underscore to the name
> of
> # the file until the filename doesn't exist.
> while os.path.exists(os.path.join(settings.MEDIA_ROOT,
> filename)):
> try:
> dot_index = filename.rindex('.')
> except ValueError: # filename has no dot
> filename += '_'
> else:
> filename = filename[:dot_index] + '_' +
> filename[dot_index:]
>
> # Write the file to disk.
> setattr(self, field.attname, filename)
>
> full_filename = self._get_FIELD_filename(field)
> fp = open(full_filename, 'wb')
> fp.write(raw_contents)
> fp.close()
>
> It looks like there may be a timing window where if two files with the
> same name are saved at roughly the same time, the first one will be
> overwritten. Shouldn't this use something like mkstemp that does this
> atomically?
The problem is that mkstemp doesn't give you a filename that looks
anything like the original. Even if you control the prefix and suffix,
there's still a large random block in the filename. Your analysis is
correct, though -- it is vulnerable to a race. Worth thinking about if
there's something we can do that's even less likely to collide.
Regards,
Malcolm
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
