On Tue, 2007-10-16 at 10:18 -0400, Marty Alchin wrote:
> I've done some work on FileField lately that address some of your concerns.
>
> On 10/16/07, Mark Green <[EMAIL PROTECTED]> wrote:
> > * does django properly sanitize the filename or rather, use
> > safe temp files? i wonder what would happen if i tried to
> > upload a file called "../../traverse.txt"?
>
> I haven't done any testing on that particular situation, so I can't
> speak to that one.
well, i guess i'll give it a shot and report to the list
if there are problems.
> > * how can i enforce a filename on the uploaded file?
> > i want to completely ignore the remote name of the file
> > and instead store it as, for example, {{username}}.jpg
>
> There's a ticket[1] in Trac to revamp the way file storage is defined,
> which would allow you to override some of how Django selects a
> filename. Currently, it won't allow you to use the username, or any
> other details of the model the image is attached to, but that's
> becoming a common request, so I'll see about adding it before it hits
> trunk.
interesting!
i can only second that common request. ;)
any idea when it will be done?
> > * anyone know if the PIL stuff is hardened against image bombs?
> > (small images that expand to gigabytes when expanded to bitmap)
> > would it be feasible to subclass ImageFile and replace the PIL
> > calls with some paranoid homegrown stuff (i.e. ImageMagick),
> > anyone know a starting point for this?
>
> The ticket I mentioned above also makes it much easier to subclass
> FileField and ImageField to add or change whatever functionality you
> like. I don't know whether PIL already does what you need, but if
> you're paranoid, this patch should help you out.
awesome. i know it's probably a fairly exotic request but
since my site deals heavily with images i can imagine some
customization might pay off (security- or performancewise).
thanks for the info!
-mark
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
