I can't trust the user because this field will be used in the frontend, which will be an app similar to the django admin, but much more limited.
So according to what you said, there is no standard way to do this. the second solution seems interesting. But what if I wanted to restrict to images? What's the best way to avoid security issues? Maybe store the file somewhere hidden would be safer? On 24 Set, 13:08, Tom Evans <tevans...@googlemail.com> wrote: > On Fri, Sep 24, 2010 at 11:28 AM, Federico Capoano > > <nemesis.des...@libero.it> wrote: > > Is there a way we can check if a certain file being uploaded is really > > what it claims to be? > > Let's say I want to restrict files to PDF only, then I take a php > > script and I rename it PDF I can still upload it if using the > > following custom FileField that I just worked out yesterday: > > If you're not willing to trust the user, then you must validate the > uploaded file. I can think of three straightforward ways to do so: > > 1) Use file(1) to determine the true file type. This will be just a > guess from the opening few bytes of the file, and could be fooled by > clever manipulation of the uploaded file. > > 2) Use ghostscript and it's utilities to validate the pdf file. > Something along these lines: > > try: > is_pdf = (subprocess.check_call(['pdf2ps', '/path/to/file.pdf', > '/dev/null']) == 0) > except subprocessCalledProcessError: > is_pdf = False > > 3) Use a pure python library like pyPdf to examine it. I wouldn't > recommend this, it's a bit old and crufty. > > Cheers > > Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
