On Fri, Sep 24, 2010 at 11:28 AM, Federico Capoano
<nemesis.des...@libero.it> wrote:
> Is there a way we can check if a certain file being uploaded is really
> what it claims to be?
> Let's say I want to restrict files to PDF only, then I take a php
> script and I rename it PDF I can still upload it if using the
> following custom FileField that I just worked out yesterday:
>
If you're not willing to trust the user, then you must validate the
uploaded file. I can think of three straightforward ways to do so:
1) Use file(1) to determine the true file type. This will be just a
guess from the opening few bytes of the file, and could be fooled by
clever manipulation of the uploaded file.
2) Use ghostscript and it's utilities to validate the pdf file.
Something along these lines:
try:
is_pdf = (subprocess.check_call(['pdf2ps', '/path/to/file.pdf',
'/dev/null']) == 0)
except subprocessCalledProcessError:
is_pdf = False
3) Use a pure python library like pyPdf to examine it. I wouldn't
recommend this, it's a bit old and crufty.
Cheers
Tom
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
