Image attachments can overwrite each other #7707

New Issue

Closed

opened 2025-12-29 20:27:17 +01:00 by adam · 5 comments

adam commented 2025-12-29 20:27:17 +01:00

Owner

Copy Link

Originally created by @ChefAustin on GitHub (Mar 2, 2023).

NetBox version

v3.4.5

Python version

3.10

Steps to Reproduce

1. Create a bogus Device Type, call it "JuniperRouter", and attach an image of a duck that has a filename of router.png
2. View the "JuniperRouter" device type record that was just created and note that the picture of the duck (router.png) exists and is displayed properly
3. Create a second bogus Device Type, call it "PaloAltoRouter", and attach an image of a porcupine that has a filename of router.png
4. View the "PaloAltoRouter" device type record that was just created and note that the picture of the porcupine (router.png) exists and is displayed properly
5. Navigate back to the "JuniperRouter" device type record that was created in step 1 above, and notice that the picture displayed is the porcupine (not the duck)

Expected Behavior

I expected either one of two (maybe three) behaviors:

1. [Most ideal end-user experience] Under-the-hood, Netbox prepends/appends a model object-specific identifier (or some form of unique identifier) to the image attachment (i.e. JuniperRouter-router.png && PaloAltoRouter-router.png) to avoid filename collisions and overwrites.
2. The record creation/modification request recognizes the impending collision, throws an error to the user, and fails to save.
3. The record creation/modification request recognizes the impending collision, automatically appends a iterator value to the attached image's filename (which increments automatically upon each successive, impending collision), and proceeds with upload using the new filename.

Observed Behavior

When these reproduction steps are followed, the image attachments overwrite one another due to the fact that the image filename is the same. IOW, Netbox uploads the image with the "as-is filename" which results in the duck image being overwritten with the porcupine image.

Originally created by @ChefAustin on GitHub (Mar 2, 2023). ### NetBox version v3.4.5 ### Python version 3.10 ### Steps to Reproduce 1. Create a bogus Device Type, call it "JuniperRouter", and attach an image of a duck that has a filename of `router.png` 2. View the "JuniperRouter" device type record that was just created and note that the picture of the duck (`router.png`) exists and is displayed properly 3. Create a second bogus Device Type, call it "PaloAltoRouter", and attach an image of a porcupine that has a filename of `router.png` 4. View the "PaloAltoRouter" device type record that was just created and note that the picture of the porcupine (`router.png`) exists and is displayed properly 5. Navigate back to the "JuniperRouter" device type record that was created in step 1 above, and notice that the picture displayed is the porcupine (not the duck) ### Expected Behavior I expected either one of two (maybe three) behaviors: 1. [Most ideal end-user experience] Under-the-hood, Netbox prepends/appends a model object-specific identifier (or some form of unique identifier) to the image attachment (i.e. `JuniperRouter-router.png` && `PaloAltoRouter-router.png`) to avoid filename collisions and overwrites. 2. The record creation/modification request recognizes the impending collision, throws an error to the user, and fails to save. 3. The record creation/modification request recognizes the impending collision, automatically appends a iterator value to the attached image's filename (which increments automatically upon each successive, impending collision), and proceeds with upload using the new filename. ### Observed Behavior When these reproduction steps are followed, the image attachments overwrite one another due to the fact that the image filename is the same. IOW, Netbox uploads the image with the "as-is filename" which results in the duck image being overwritten with the porcupine image.

adam added the type: bugstatus: under review labels 2025-12-29 20:27:17 +01:00

adam closed this issue 2025-12-29 20:27:17 +01:00

adam commented 2025-12-29 20:27:18 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Mar 7, 2023):

I'm not able to reproduce this, despite the delightfully entertaining instructions. 🙂 When the second file is uploaded, Django detects the duplicate filename and appends a random string to avoid overwriting the first file. The image associated with JuniperRouter is located at /media/devicetype-images/router.png, whereas the image associated with PaloAltoRouter is located at /media/devicetype-images/router_hUN1nRe.png. Both display their respective woodland creatures.

The automatic renaming is a function of Django's default storage backend, so I suspect one of two things is happening:

1. You're using a different storage backend (e.g. django-storages) which is not handling this automatically; or
2. NetBox has permission to write but not read files in the media path.

Can you confirm either of these conditions?

@jeremystretch commented on GitHub (Mar 7, 2023): I'm not able to reproduce this, despite the delightfully entertaining instructions. :slightly_smiling_face: When the second file is uploaded, Django detects the duplicate filename and appends a random string to avoid overwriting the first file. The image associated with JuniperRouter is located at `/media/devicetype-images/router.png`, whereas the image associated with PaloAltoRouter is located at `/media/devicetype-images/router_hUN1nRe.png`. Both display their respective woodland creatures. The automatic renaming is a function of Django's default [storage backend](https://docs.djangoproject.com/en/4.1/ref/files/storage/#django.core.files.storage.Storage.get_available_name), so I suspect one of two things is happening: 1. You're using a different storage backend (e.g. [django-storages](https://django-storages.readthedocs.io/en/stable/)) which is not handling this automatically; or 2. NetBox has permission to write but not read files in the media path. Can you confirm either of these conditions?

adam commented 2025-12-29 20:27:18 +01:00

Author

Owner

Copy Link

@ChefAustin commented on GitHub (Mar 7, 2023):

Interesting.

You are correct insofar that I'm using S3 storage backend but Netbox does have full CRUD permissions on the storage path (bucket).

@ChefAustin commented on GitHub (Mar 7, 2023): Interesting. You are correct insofar that I'm using S3 storage backend but Netbox does have full CRUD permissions on the storage path (bucket).

adam commented 2025-12-29 20:27:19 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Mar 7, 2023):

Thanks. It's almost certainly a limitation of the S3 backend then. We'll need to dig into it a bit further to determine if this is something that can be resolved upstream or if we need to accommodate the limitation in NetBox itself.

@jeremystretch commented on GitHub (Mar 7, 2023): Thanks. It's almost certainly a limitation of the S3 backend then. We'll need to dig into it a bit further to determine if this is something that can be resolved upstream or if we need to accommodate the limitation in NetBox itself.

adam commented 2025-12-29 20:27:19 +01:00

Author

Owner

Copy Link

@kkthxbye-code commented on GitHub (Mar 7, 2023):

I don't think there's anything to fix here, he just needs to pass AWS_S3_FILE_OVERWRITE: False to STORAGE_CONFIG.

https://django-storages.readthedocs.io/en/latest/backends/amazon-S3.html

https://docs.netbox.dev/en/stable/configuration/system/#storage_config

@kkthxbye-code commented on GitHub (Mar 7, 2023): I don't think there's anything to fix here, he just needs to pass `AWS_S3_FILE_OVERWRITE: False` to `STORAGE_CONFIG`. https://django-storages.readthedocs.io/en/latest/backends/amazon-S3.html https://docs.netbox.dev/en/stable/configuration/system/#storage_config

adam commented 2025-12-29 20:27:19 +01:00

Author

Owner

Copy Link

@ChefAustin commented on GitHub (Mar 8, 2023):

Just added AWS_S3_FILE_OVERWRITE: False to STORAGE_CONFIG, tested, and confirmed that default overwrite behavior has been disabled. Works as desired now.

Thanks for the insights, @kkthxbye-code and @jeremystretch; much appreciated!

@ChefAustin commented on GitHub (Mar 8, 2023): Just added `AWS_S3_FILE_OVERWRITE: False` to `STORAGE_CONFIG`, tested, and confirmed that default overwrite behavior has been disabled. Works as desired now. Thanks for the insights, @kkthxbye-code and @jeremystretch; much appreciated!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label status: under review type: bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#7707