Re: [Django Code] #3531: ImageField - possible script injection

Mon, 19 Feb 2007 15:10:30 -0800 

#3531: ImageField - possible script injection
----------------------------------------------------+-----------------------
   Reporter:  Piotr MaliƄski <[EMAIL PROTECTED]>  |                Owner:  
adrian          
     Status:  closed                                |            Component:  
Database wrapper
    Version:  SVN                                   |           Resolution:  
invalid         
   Keywords:                                        |                Stage:  
Unreviewed      
  Has_patch:  0                                     |           Needs_docs:  0  
             
Needs_tests:  0                                     |   Needs_better_patch:  0  
             
----------------------------------------------------+-----------------------
Changes (by mtredinnick):

  * status:  new => closed
  * needs_better_patch:  => 0
  * resolution:  => invalid
  * needs_tests:  => 0
  * needs_docs:  => 0

Comment:

 Thanks for the report (and the thinking behind it), however checking
 externsions is a not a good way of doing security. It is approach used by
 Microsoft in Windows and one of the reasons it is so easy to exploit that
 platform. Forcing people to use particular extensions (or any extension at
 all) for a file is not good practice. MIME types exist to avoid this very
 problem.
 
 Uploading images (or other files) into a directory where the contents are
 automatically executed as CGI scripts is the real problem here. It just
 shouldn't be done (executing files that start with garbage and looking for
 meaningful strings in the middle of them is another problem). There is, in
 general, no 100% reliable way to check that something is just an image (or
 other type of file -- after all, we don't just allow image uploading if
 you use the !FileField field, for example) and not *also* a file that
 might be mysteriously executed by an interpreter that processes any junk
 it is fed. It is quite possible that an image could legitimately contain
 the "magic string" that triggers execution by some language interpreter.
 
 This is  security problem, but the problem is on the side of the sever
 doing the uploads into an executable directory (or possibly serving files
 with an incorrect MIME type).

-- 
Ticket URL: <http://code.djangoproject.com/ticket/3531#comment:1>
Django Code <http://code.djangoproject.com/>
The web framework for perfectionists with deadlines
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to