I've done some work on FileField lately that address some of your concerns.
On 10/16/07, Mark Green <[EMAIL PROTECTED]> wrote:
> * does django properly sanitize the filename or rather, use
> safe temp files? i wonder what would happen if i tried to
> upload a file called "../../traverse.txt"?
I haven't done any testing on that particular situation, so I can't
speak to that one.
> * how can i enforce a filename on the uploaded file?
> i want to completely ignore the remote name of the file
> and instead store it as, for example, {{username}}.jpg
There's a ticket[1] in Trac to revamp the way file storage is defined,
which would allow you to override some of how Django selects a
filename. Currently, it won't allow you to use the username, or any
other details of the model the image is attached to, but that's
becoming a common request, so I'll see about adding it before it hits
trunk.
> * anyone know if the PIL stuff is hardened against image bombs?
> (small images that expand to gigabytes when expanded to bitmap)
> would it be feasible to subclass ImageFile and replace the PIL
> calls with some paranoid homegrown stuff (i.e. ImageMagick),
> anyone know a starting point for this?
The ticket I mentioned above also makes it much easier to subclass
FileField and ImageField to add or change whatever functionality you
like. I don't know whether PIL already does what you need, but if
you're paranoid, this patch should help you out.
-Gul
[1] http://code.djangoproject.com/ticket/5361
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
