Re: File Upload Content Type Verification
Thanks. I'm concerned about the possibility of uploading and executing a script on the server. Just this. I think I can avoid this by hiding the file somewhere behind the public folder so the content is not accessible via http. On 24 Set, 13:31, Tom Evanswrote: > On Fri, Sep 24, 2010 at 12:23 PM, Federico Capoano > > wrote: > > I can't trust the user because this field will be used in the > > frontend, which will be an app similar to the django admin, but much > > more limited. > > > So according to what you said, there is no standard way to do this. > > the second solution seems interesting. > > > But what if I wanted to restrict to images? > > > What's the best way to avoid security issues? Maybe store the file > > somewhere hidden would be safer? > > Depends what you mean by 'standard'. I would consider it standard to > validate user supplied input, and that process is the same regardless > of filetype, the only thing that changes is how you validate the > input. > > For images, you can simply use a ImageField, which uses PIL to > validate that the uploaded file is an image file supported by PIL. > > I don't understand what security issues you are referring to. > > Cheers > > Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: File Upload Content Type Verification
On Fri, Sep 24, 2010 at 12:23 PM, Federico Capoanowrote: > I can't trust the user because this field will be used in the > frontend, which will be an app similar to the django admin, but much > more limited. > > So according to what you said, there is no standard way to do this. > the second solution seems interesting. > > But what if I wanted to restrict to images? > > What's the best way to avoid security issues? Maybe store the file > somewhere hidden would be safer? > Depends what you mean by 'standard'. I would consider it standard to validate user supplied input, and that process is the same regardless of filetype, the only thing that changes is how you validate the input. For images, you can simply use a ImageField, which uses PIL to validate that the uploaded file is an image file supported by PIL. I don't understand what security issues you are referring to. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
RE: Re: File Upload Content Type Verification
for images PIL does the job more or less well for all the filetypes and formats it knows (validation build in ImageField) I have recognized problems with some image file types... you may also do some virus scan... we added clamav (pyclamd) to the clean method... regards Henrik >reply to message: >date: 24.09.2010 06:23:55 >from: "Federico Capoano" <nemesis.des...@libero.it> >to: "Django users" <django-users@googlegroups.com> >subject: Re: File Upload Content Type Verification > >I can't trust the user because this field will be used in the >frontend, which will be an app similar to the django admin, but much >more limited. > >So according to what you said, there is no standard way to do this. >the second solution seems interesting. > >But what if I wanted to restrict to images? > >What's the best way to avoid security issues? Maybe store the file >somewhere hidden would be safer? > > > > >On 24 Set, 13:08, Tom Evans <tevans...@googlemail.com> wrote: >> On Fri, Sep 24, 2010 at 11:28 AM, Federico Capoano >> >> <nemesis.des...@libero.it> wrote: >> > Is there a way we can check if a certain file being uploaded is really >> > what it claims to be? >> > Let's say I want to restrict files to PDF only, then I take a php >> > script and I rename it PDF I can still upload it if using the >> > following custom FileField that I just worked out yesterday: >> >> If you're not willing to trust the user, then you must validate the >> uploaded file. I can think of three straightforward ways to do so: >> >> 1) Use file(1) to determine the true file type. This will be just a >> guess from the opening few bytes of the file, and could be fooled by >> clever manipulation of the uploaded file. >> >> 2) Use ghostscript and it's utilities to validate the pdf file. >> Something along these lines: >> >> try: >> is_pdf = (subprocess.check_call(['pdf2ps', '/path/to/file.pdf', >> '/dev/null']) == 0) >> except subprocessCalledProcessError: >> is_pdf = False >> >> 3) Use a pure python library like pyPdf to examine it. I wouldn't >> recommend this, it's a bit old and crufty. >> >> Cheers >> >> Tom > >-- >You received this message because you are subscribed to the Google Groups >"Django users" group. >To post to this group, send email to django-us...@googlegroups.com. >To unsubscribe from this group, send email to >django-users+unsubscr...@googlegroups.com. >For more options, visit this group at >http://groups.google.com/group/django-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: File Upload Content Type Verification
I can't trust the user because this field will be used in the frontend, which will be an app similar to the django admin, but much more limited. So according to what you said, there is no standard way to do this. the second solution seems interesting. But what if I wanted to restrict to images? What's the best way to avoid security issues? Maybe store the file somewhere hidden would be safer? On 24 Set, 13:08, Tom Evanswrote: > On Fri, Sep 24, 2010 at 11:28 AM, Federico Capoano > > wrote: > > Is there a way we can check if a certain file being uploaded is really > > what it claims to be? > > Let's say I want to restrict files to PDF only, then I take a php > > script and I rename it PDF I can still upload it if using the > > following custom FileField that I just worked out yesterday: > > If you're not willing to trust the user, then you must validate the > uploaded file. I can think of three straightforward ways to do so: > > 1) Use file(1) to determine the true file type. This will be just a > guess from the opening few bytes of the file, and could be fooled by > clever manipulation of the uploaded file. > > 2) Use ghostscript and it's utilities to validate the pdf file. > Something along these lines: > > try: > is_pdf = (subprocess.check_call(['pdf2ps', '/path/to/file.pdf', > '/dev/null']) == 0) > except subprocessCalledProcessError: > is_pdf = False > > 3) Use a pure python library like pyPdf to examine it. I wouldn't > recommend this, it's a bit old and crufty. > > Cheers > > Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Re: File Upload Content Type Verification
On Fri, Sep 24, 2010 at 11:28 AM, Federico Capoanowrote: > Is there a way we can check if a certain file being uploaded is really > what it claims to be? > Let's say I want to restrict files to PDF only, then I take a php > script and I rename it PDF I can still upload it if using the > following custom FileField that I just worked out yesterday: > If you're not willing to trust the user, then you must validate the uploaded file. I can think of three straightforward ways to do so: 1) Use file(1) to determine the true file type. This will be just a guess from the opening few bytes of the file, and could be fooled by clever manipulation of the uploaded file. 2) Use ghostscript and it's utilities to validate the pdf file. Something along these lines: try: is_pdf = (subprocess.check_call(['pdf2ps', '/path/to/file.pdf', '/dev/null']) == 0) except subprocessCalledProcessError: is_pdf = False 3) Use a pure python library like pyPdf to examine it. I wouldn't recommend this, it's a bit old and crufty. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
File Upload Content Type Verification
Is there a way we can check if a certain file being uploaded is really what it claims to be? Let's say I want to restrict files to PDF only, then I take a php script and I rename it PDF I can still upload it if using the following custom FileField that I just worked out yesterday: from django.db.models import FileField from django.forms import forms from django.template.defaultfilters import filesizeformat from django.utils.translation import ugettext_lazy as _ class ContentTypeRestrictedFileField(FileField): """ Same as forms.FileField, but you can specify a content_type and max_upload_size. """ def __init__(self, *args, **kwargs): self.content_types = kwargs.pop("content_types") self.max_upload_size = kwargs.pop("max_upload_size") super(ContentTypeRestrictedFileField, self).__init__(*args, **kwargs) def clean(self, *args, **kwargs): data = super(ContentTypeRestrictedFileField, self).clean(*args, **kwargs) file = data.file content_type = file.content_type if content_type in self.content_types: if file._size > self.max_upload_size: raise forms.ValidationError(_('Please keep filesize under %s. Current filesize %s') % (filesizeformat(self.max_upload_size), filesizeformat(file._size))) else: raise forms.ValidationError(_('The only filetype allowed is PDF.')) return data -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.