On Wed, 06 Oct 2010 09:02:21 -0700, geekbuntu wrote: > in general, what are things i would want to 'watch for/guard against' in > a file upload situation? > > i have my file upload working (in the self-made framework @ work without > any concession for multipart form uploads), but was told to make sure > it's cleansed and cannot do any harm inside the system. > Off the top of my head, and assuming that you get passed the exact filename that the user entered:
- The user may need to use an absolute pathname to upload a file that isn't in his current directory, so retain only the basename by discarding the rightmost slash and everything to the left of it: /home/auser/photos/my_photo.jpg ===> my_photo.jpg c:\My Photos\My Photo.jpg ===> My Photo.jpg - If your target system doesn't like spaces in names or you want to be on the safe side there, replace spaces in the name with underscores: My Photo.jpg ===> My_Photo.jpg - reject any filenames that could cause the receiving system to do dangerous things, e.g. .EXE or .SCR if the upload target is Windows. This list will be different for each upload target, so make it configurable. You can't assume anything about else about the extension. .py .c .txt and .html are all valid in the operating systems I use and so are their capitalised equivalents. - check whether the file already exists. You need rules about what to do if it exists (do you reject the upload, silently overwrite, or alter the name, e.g. by adding a numeric suffix to make the name unique: my_photo.jpg ===> my_photo-01.jpg - run the application in your upload target directory and put the uploaded file there or, better, into a configured uploads directory by prepending it to the file name: my_photo.jpg ===> /home/upload_user/uploads/my_photo.jpg - make sure you document the process so that a user can work out what has happened to his file and why if you have to reject it or alter its name. > not sure but any suggestions or examples are most welcome :) > There's probably something I've forgotten, but that list should get you going. -- martin@ | Martin Gregorie gregorie. | Essex, UK org | -- http://mail.python.org/mailman/listinfo/python-list