suggestions please "what should i watch for/guard against' in a file upload situation?"

Martin Gregorie martin at address-in-sig.invalid
Wed Oct 6 16:01:02 EDT 2010 

On Wed, 06 Oct 2010 09:02:21 -0700, geekbuntu wrote:

> in general, what are things i would want to 'watch for/guard against' in
> a file upload situation?
> 
> i have my file upload working (in the self-made framework @ work without
> any concession for multipart form uploads), but was told to make sure
> it's cleansed and cannot do any harm inside the system.
>
Off the top of my head, and assuming that you get passed the exact 
filename that the user entered:

- The user may need to use an absolute pathname to upload a file
  that isn't in his current directory, so retain only the basename
  by discarding the rightmost slash and everything to the left of it:
    /home/auser/photos/my_photo.jpg   ===> my_photo.jpg
    c:\My Photos\My Photo.jpg         ===> My Photo.jpg

- If your target system doesn't like spaces in names or you want to be
  on the safe side there, replace spaces in the name with underscores:
    My Photo.jpg     ===>    My_Photo.jpg

- reject any filenames that could cause the receiving system to do
  dangerous things, e.g. .EXE or .SCR if the upload target is Windows.
  This list will be different for each upload target, so make it 
  configurable.

  You can't assume anything about else about the extension. 
  .py .c .txt and .html are all valid in the operating systems I use
  and so are their capitalised equivalents. 

- check whether the file already exists. You need
  rules about what to do if it exists (do you reject the upload,
  silently overwrite, or alter the name, e.g. by adding a numeric
  suffix to make the name unique:

     my_photo.jpg  ===>  my_photo-01.jpg

- run the application in your upload target directory and put the
  uploaded file there or, better, into a configured uploads directory
  by prepending it to the file name:

    my_photo.jpg   ===>  /home/upload_user/uploads/my_photo.jpg

- make sure you document the process so that a user can work out
  what has happened to his file and why if you have to reject it
  or alter its name.

> not sure but any suggestions or examples are most welcome :)
>
There's probably something I've forgotten, but that list should get you 
going.
 


-- 
martin@   | Martin Gregorie
gregorie. | Essex, UK
org       |

More information about the Python-list mailing list