Author: adrian Date: 2006-08-14 18:07:43 -0500 (Mon, 14 Aug 2006) New Revision: 3585
Modified: django/trunk/docs/model-api.txt Log: Added paragraph to docs/model-api.txt explicitly pointing out file uploads should be validated, for security reasons Modified: django/trunk/docs/model-api.txt =================================================================== --- django/trunk/docs/model-api.txt 2006-08-14 18:52:53 UTC (rev 3584) +++ django/trunk/docs/model-api.txt 2006-08-14 23:07:43 UTC (rev 3585) @@ -230,6 +230,14 @@ upload a file on Jan. 15, 2007, it will be saved in the directory ``/home/media/photos/2007/01/15``. +Note that whenever you deal with uploaded files, you should pay close attention +to where you're uploading them and what type of files they are, to avoid +security holes. *Validate all uploaded files* so that you're sure the files are +what you think they are. For example, if you blindly let somebody upload files, +without validation, to a directory that's within your Web server's document +root, then somebody could upload a CGI or PHP script and execute that script by +visiting its URL on your site. Don't allow that. + .. _`strftime formatting`: http://docs.python.org/lib/module-time.html#l2h-1941 ``FilePathField`` --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-updates -~----------~----~----~----~------~----~------~--~---
