I've done some work on FileField lately that address some of your concerns.
On 10/16/07, Mark Green <[EMAIL PROTECTED]> wrote: > * does django properly sanitize the filename or rather, use > safe temp files? i wonder what would happen if i tried to > upload a file called "../../traverse.txt"? I haven't done any testing on that particular situation, so I can't speak to that one. > * how can i enforce a filename on the uploaded file? > i want to completely ignore the remote name of the file > and instead store it as, for example, {{username}}.jpg There's a ticket[1] in Trac to revamp the way file storage is defined, which would allow you to override some of how Django selects a filename. Currently, it won't allow you to use the username, or any other details of the model the image is attached to, but that's becoming a common request, so I'll see about adding it before it hits trunk. > * anyone know if the PIL stuff is hardened against image bombs? > (small images that expand to gigabytes when expanded to bitmap) > would it be feasible to subclass ImageFile and replace the PIL > calls with some paranoid homegrown stuff (i.e. ImageMagick), > anyone know a starting point for this? The ticket I mentioned above also makes it much easier to subclass FileField and ImageField to add or change whatever functionality you like. I don't know whether PIL already does what you need, but if you're paranoid, this patch should help you out. -Gul [1] http://code.djangoproject.com/ticket/5361 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---