suggestions please "what should i watch for/guard against' in a file upload situation?"

Seebs usenet-nospam at seebs.net
Wed Oct 6 17:40:28 EDT 2010 

On 2010-10-06, Diez B. Roggisch <deets at web.de> wrote:
> Seebs <usenet-nospam at seebs.net> writes:
>> On 2010-10-06, geekbuntu <gmilby at gmail.com> wrote:
>>> in general, what are things i would want to 'watch for/guard against'
>>> in a file upload situation?

>> This question has virtually nothing to do with Python, which means you
>> may not get very good answers.

> In contrast to "comp.super.web.experts"? There are quite a few people
> with web-experience here I'd say. 

Oh, certainly.  But in general, I try to ask questions in a group focused
on their domain, rather than merely a group likely to contain people who
would for other reasons have the relevant experience.  I'm sure that a great
number of Python programmers have experience with sex, that doesn't make
this a great newsgroup for sex tips.  (Well, maybe it does.)

> Given that most people are not computer savvy (always remember, the
> default for windows is to hide extensions..), using it client-side can
> be valuable to prevent long uploads that eventuall need to be rejected
> otherwise (no mom, you can't upload word-docs as profile pictures).

That's a good point.  On the other hand, there's a corollary; you may want
to look at the contents of the file in case they're not really what they're
supposed to be.

> Your strange focus on file-names that are pure meta information is a
> little bit concerning... 

If you're uploading files "into a directory", then it is quite likely that
you're getting file names from somewhere.  Untrusted file names are a much
more effective attack vector, in most cases, than EXIF information.

> Certainly advice. But that's less focussed on filenames or file-uploads, but
> on the whole subject of processing HTTP-requestst. Which would make a
> point for *not* using a home-grown framework.

Well, yeah.  I was assuming that the home-grown framework was mandatory for
some reason.  Possibly a very important reason, such as "otherwise we won't
have written it ourselves".

-s
-- 
Copyright 2010, all wrongs reversed.  Peter Seebach / usenet-nospam at seebs.net
http://www.seebs.net/log/ <-- lawsuits, religion, and funny pictures
http://en.wikipedia.org/wiki/Fair_Game_(Scientology) <-- get educated!
I am not speaking for my employer, although they do rent some of my opinions.

More information about the Python-list mailing list