suggestions please "what should i watch for/guard against' in a file upload situation?"
MRAB
python at mrabarnett.plus.com
Wed Oct 6 16:38:05 EDT 2010
On 06/10/2010 21:01, Martin Gregorie wrote:
> On Wed, 06 Oct 2010 09:02:21 -0700, geekbuntu wrote:
>
>> in general, what are things i would want to 'watch for/guard against' in
>> a file upload situation?
>>
>> i have my file upload working (in the self-made framework @ work without
>> any concession for multipart form uploads), but was told to make sure
>> it's cleansed and cannot do any harm inside the system.
>>
> Off the top of my head, and assuming that you get passed the exact
> filename that the user entered:
>
> - The user may need to use an absolute pathname to upload a file
> that isn't in his current directory, so retain only the basename
> by discarding the rightmost slash and everything to the left of it:
> /home/auser/photos/my_photo.jpg ===> my_photo.jpg
> c:\My Photos\My Photo.jpg ===> My Photo.jpg
>
> - If your target system doesn't like spaces in names or you want to be
> on the safe side there, replace spaces in the name with underscores:
> My Photo.jpg ===> My_Photo.jpg
>
> - reject any filenames that could cause the receiving system to do
> dangerous things, e.g. .EXE or .SCR if the upload target is Windows.
> This list will be different for each upload target, so make it
> configurable.
>
> You can't assume anything about else about the extension.
> .py .c .txt and .html are all valid in the operating systems I use
> and so are their capitalised equivalents.
>
A whitelist is better than a blacklist; instead of rejecting what you
know could be dangerous, accept what you know _isn't_ dangerous.
> - check whether the file already exists. You need
> rules about what to do if it exists (do you reject the upload,
> silently overwrite, or alter the name, e.g. by adding a numeric
> suffix to make the name unique:
>
> my_photo.jpg ===> my_photo-01.jpg
>
> - run the application in your upload target directory and put the
> uploaded file there or, better, into a configured uploads directory
> by prepending it to the file name:
>
> my_photo.jpg ===> /home/upload_user/uploads/my_photo.jpg
>
> - make sure you document the process so that a user can work out
> what has happened to his file and why if you have to reject it
> or alter its name.
>
>> not sure but any suggestions or examples are most welcome :)
>>
> There's probably something I've forgotten, but that list should get you
> going.
>
Maximum file size, perhaps?
More information about the Python-list
mailing list