suggestions please "what should i watch for/guard against' in a file upload situation?"

MRAB python at mrabarnett.plus.com
Wed Oct 6 16:38:05 EDT 2010 

On 06/10/2010 21:01, Martin Gregorie wrote:
> On Wed, 06 Oct 2010 09:02:21 -0700, geekbuntu wrote:
>
>> in general, what are things i would want to 'watch for/guard against' in
>> a file upload situation?
>>
>> i have my file upload working (in the self-made framework @ work without
>> any concession for multipart form uploads), but was told to make sure
>> it's cleansed and cannot do any harm inside the system.
>>
> Off the top of my head, and assuming that you get passed the exact
> filename that the user entered:
>
> - The user may need to use an absolute pathname to upload a file
>    that isn't in his current directory, so retain only the basename
>    by discarding the rightmost slash and everything to the left of it:
>      /home/auser/photos/my_photo.jpg   ===>  my_photo.jpg
>      c:\My Photos\My Photo.jpg         ===>  My Photo.jpg
>
> - If your target system doesn't like spaces in names or you want to be
>    on the safe side there, replace spaces in the name with underscores:
>      My Photo.jpg     ===>     My_Photo.jpg
>
> - reject any filenames that could cause the receiving system to do
>    dangerous things, e.g. .EXE or .SCR if the upload target is Windows.
>    This list will be different for each upload target, so make it
>    configurable.
>
>    You can't assume anything about else about the extension.
>    .py .c .txt and .html are all valid in the operating systems I use
>    and so are their capitalised equivalents.
>
A whitelist is better than a blacklist; instead of rejecting what you
know could be dangerous, accept what you know _isn't_ dangerous.

> - check whether the file already exists. You need
>    rules about what to do if it exists (do you reject the upload,
>    silently overwrite, or alter the name, e.g. by adding a numeric
>    suffix to make the name unique:
>
>       my_photo.jpg  ===>   my_photo-01.jpg
>
> - run the application in your upload target directory and put the
>    uploaded file there or, better, into a configured uploads directory
>    by prepending it to the file name:
>
>      my_photo.jpg   ===>   /home/upload_user/uploads/my_photo.jpg
>
> - make sure you document the process so that a user can work out
>    what has happened to his file and why if you have to reject it
>    or alter its name.
>
>> not sure but any suggestions or examples are most welcome :)
>>
> There's probably something I've forgotten, but that list should get you
> going.
>
Maximum file size, perhaps?

More information about the Python-list mailing list