#4339: Override an existing file, using Model.save_FIELD_file method,
---------------------------------------------------+------------------------
Reporter: [email protected] | Owner: Gulopine
Status: reopened | Milestone:
Component: Database layer (models, ORM) | Version: SVN
Resolution: | Keywords: FileField
db fs-rf-docs
Stage: Design decision needed | Has_patch: 1
Needs_docs: 1 | Needs_tests: 0
Needs_better_patch: 1 |
---------------------------------------------------+------------------------
Comment (by olau):
Actually, with the default backend you've got a DoS entry if you allow
your users to upload a profile picture with an {{{ImageField}}} (even if
you check the size of the stuff they upload) - since it will leave the
orphaned images behind. The attacker just needs to reupload files to fill
up the available disk space which may be scarce on shared hosting.
In any case, the current behaviour doesn't really make a lot of sense when
you override upload_to to set a filename (e.g. using the db id) instead of
relying on the name from the browser.
I think it should work this way: when you reupload a file, it should be
the same as first deleting the old file and then writing the new one
(maybe in reverse order, with a bit of code to handle the case where the
names are identical). What do you think?
BTW, there's a snippet here with a custom backend that always overwrites:
http://www.djangosnippets.org/snippets/976/
--
Ticket URL: <http://code.djangoproject.com/ticket/4339#comment:21>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
