Re: File Upload Content Type Verification

2010-09-24 Thread Federico Capoano 
Thanks.

I'm concerned about the possibility of uploading and executing a
script on the server. Just this. I think I can avoid this by hiding
the file somewhere behind the public folder so the content is not
accessible via http.



On 24 Set, 13:31, Tom Evans  wrote:
> On Fri, Sep 24, 2010 at 12:23 PM, Federico Capoano
>
>  wrote:
> > I can't trust the user because this field will be used in the
> > frontend, which will be an app similar to the django admin, but much
> > more limited.
>
> > So according to what you said, there is no standard way to do this.
> > the second solution seems interesting.
>
> > But what if I wanted to restrict to images?
>
> > What's the best way to avoid security issues? Maybe store the file
> > somewhere hidden would be safer?
>
> Depends what you mean by 'standard'. I would consider it standard to
> validate user supplied input, and that process is the same regardless
> of filetype, the only thing that changes is how you validate the
> input.
>
> For images, you can simply use a ImageField, which uses PIL to
> validate that the uploaded file is an image file supported by PIL.
>
> I don't understand what security issues you are referring to.
>
> Cheers
>
> Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: File Upload Content Type Verification

2010-09-24 Thread Tom Evans 
On Fri, Sep 24, 2010 at 12:23 PM, Federico Capoano
 wrote:
> I can't trust the user because this field will be used in the
> frontend, which will be an app similar to the django admin, but much
> more limited.
>
> So according to what you said, there is no standard way to do this.
> the second solution seems interesting.
>
> But what if I wanted to restrict to images?
>
> What's the best way to avoid security issues? Maybe store the file
> somewhere hidden would be safer?
>

Depends what you mean by 'standard'. I would consider it standard to
validate user supplied input, and that process is the same regardless
of filetype, the only thing that changes is how you validate the
input.

For images, you can simply use a ImageField, which uses PIL to
validate that the uploaded file is an image file supported by PIL.

I don't understand what security issues you are referring to.

Cheers

Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

RE: Re: File Upload Content Type Verification

2010-09-24 Thread Henrik Genssen 
for images PIL does the job more or less well for all the filetypes
and formats it knows (validation build in ImageField) I have recognized problems
with some image file types...

you may also do some virus scan...
we added clamav (pyclamd) to the clean method...

regards

Henrik

>reply to message:
>date: 24.09.2010 06:23:55
>from: "Federico Capoano" <nemesis.des...@libero.it>
>to: "Django users" <django-users@googlegroups.com>
>subject: Re: File Upload Content Type Verification
>
>I can't trust the user because this field will be used in the
>frontend, which will be an app similar to the django admin, but much
>more limited.
>
>So according to what you said, there is no standard way to do this.
>the second solution seems interesting.
>
>But what if I wanted to restrict to images?
>
>What's the best way to avoid security issues? Maybe store the file
>somewhere hidden would be safer?
>
>
>
>
>On 24 Set, 13:08, Tom Evans <tevans...@googlemail.com> wrote:
>> On Fri, Sep 24, 2010 at 11:28 AM, Federico Capoano
>>
>> <nemesis.des...@libero.it> wrote:
>> > Is there a way we can check if a certain file being uploaded is really
>> > what it claims to be?
>> > Let's say I want to restrict files to PDF only, then I take a php
>> > script and I rename it PDF I can still upload it if using the
>> > following custom FileField that I just worked out yesterday:
>>
>> If you're not willing to trust the user, then you must validate the
>> uploaded file. I can think of three straightforward ways to do so:
>>
>> 1) Use file(1) to determine the true file type. This will be just a
>> guess from the opening few bytes of the file, and could be fooled by
>> clever manipulation of the uploaded file.
>>
>> 2) Use ghostscript and it's utilities to validate the pdf file.
>> Something along these lines:
>>
>>   try:
>>       is_pdf = (subprocess.check_call(['pdf2ps', '/path/to/file.pdf',
>> '/dev/null']) == 0)
>>   except subprocessCalledProcessError:
>>       is_pdf = False
>>
>> 3) Use a pure python library like pyPdf to examine it. I wouldn't
>> recommend this, it's a bit old and crufty.
>>
>> Cheers
>>
>> Tom
>
>-- 
>You received this message because you are subscribed to the Google Groups 
>"Django users" group.
>To post to this group, send email to django-us...@googlegroups.com.
>To unsubscribe from this group, send email to 
>django-users+unsubscr...@googlegroups.com.
>For more options, visit this group at 
>http://groups.google.com/group/django-users?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: File Upload Content Type Verification

2010-09-24 Thread Federico Capoano 
I can't trust the user because this field will be used in the
frontend, which will be an app similar to the django admin, but much
more limited.

So according to what you said, there is no standard way to do this.
the second solution seems interesting.

But what if I wanted to restrict to images?

What's the best way to avoid security issues? Maybe store the file
somewhere hidden would be safer?




On 24 Set, 13:08, Tom Evans  wrote:
> On Fri, Sep 24, 2010 at 11:28 AM, Federico Capoano
>
>  wrote:
> > Is there a way we can check if a certain file being uploaded is really
> > what it claims to be?
> > Let's say I want to restrict files to PDF only, then I take a php
> > script and I rename it PDF I can still upload it if using the
> > following custom FileField that I just worked out yesterday:
>
> If you're not willing to trust the user, then you must validate the
> uploaded file. I can think of three straightforward ways to do so:
>
> 1) Use file(1) to determine the true file type. This will be just a
> guess from the opening few bytes of the file, and could be fooled by
> clever manipulation of the uploaded file.
>
> 2) Use ghostscript and it's utilities to validate the pdf file.
> Something along these lines:
>
>   try:
>       is_pdf = (subprocess.check_call(['pdf2ps', '/path/to/file.pdf',
> '/dev/null']) == 0)
>   except subprocessCalledProcessError:
>       is_pdf = False
>
> 3) Use a pure python library like pyPdf to examine it. I wouldn't
> recommend this, it's a bit old and crufty.
>
> Cheers
>
> Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

Re: File Upload Content Type Verification

2010-09-24 Thread Tom Evans 
On Fri, Sep 24, 2010 at 11:28 AM, Federico Capoano
 wrote:
> Is there a way we can check if a certain file being uploaded is really
> what it claims to be?
> Let's say I want to restrict files to PDF only, then I take a php
> script and I rename it PDF I can still upload it if using the
> following custom FileField that I just worked out yesterday:
>


If you're not willing to trust the user, then you must validate the
uploaded file. I can think of three straightforward ways to do so:

1) Use file(1) to determine the true file type. This will be just a
guess from the opening few bytes of the file, and could be fooled by
clever manipulation of the uploaded file.

2) Use ghostscript and it's utilities to validate the pdf file.
Something along these lines:

  try:
  is_pdf = (subprocess.check_call(['pdf2ps', '/path/to/file.pdf',
'/dev/null']) == 0)
  except subprocessCalledProcessError:
  is_pdf = False

3) Use a pure python library like pyPdf to examine it. I wouldn't
recommend this, it's a bit old and crufty.


Cheers

Tom

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.

File Upload Content Type Verification

2010-09-24 Thread Federico Capoano 
Is there a way we can check if a certain file being uploaded is really
what it claims to be?
Let's say I want to restrict files to PDF only, then I take a php
script and I rename it PDF I can still upload it if using the
following custom FileField that I just worked out yesterday:

from django.db.models import FileField
from django.forms import forms
from django.template.defaultfilters import filesizeformat
from django.utils.translation import ugettext_lazy as _

class ContentTypeRestrictedFileField(FileField):
"""
Same as forms.FileField, but you can specify a content_type and
max_upload_size.
"""
def __init__(self, *args, **kwargs):
self.content_types = kwargs.pop("content_types")
self.max_upload_size = kwargs.pop("max_upload_size")

super(ContentTypeRestrictedFileField, self).__init__(*args,
**kwargs)

def clean(self, *args, **kwargs):
data = super(ContentTypeRestrictedFileField,
self).clean(*args, **kwargs)

file = data.file
content_type = file.content_type

if content_type in self.content_types:
if file._size > self.max_upload_size:
raise forms.ValidationError(_('Please keep filesize
under %s. Current filesize %s') %
(filesizeformat(self.max_upload_size), filesizeformat(file._size)))
else:
raise forms.ValidationError(_('The only filetype allowed
is PDF.'))

return data


-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en.