Hi folks -
We've just published a short security advisory about ImageFields:
https://www.djangoproject.com/weblog/2013/dec/02/image-field-advisory/
ImageField expects a valid image file, but depending on your app it may
allow uploads on non-image content, such as HTML or JavaScript.
Unfortunately, we cannot offer a solution in Django itself. Rather, you
need to take some steps in how you serve static files in order to mitigate
this type of attack. These steps are now outlined in our security guide:
https://docs.djangoproject.com/en/dev/topics/security/#user-uploaded-content
We recommend that if you allow image uploads that you check your server's
configuration against the above guide.
Jacob
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/CAK8PqJGuNz0NOq52SrUP7kjHgrC19tXuiAKD3YLv6zs8qYdqnA%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.
