for images PIL does the job more or less well for all the filetypes and formats it knows (validation build in ImageField) I have recognized problems with some image file types...
you may also do some virus scan... we added clamav (pyclamd) to the clean method... regards Henrik >reply to message: >date: 24.09.2010 06:23:55 >from: "Federico Capoano" <nemesis.des...@libero.it> >to: "Django users" <django-users@googlegroups.com> >subject: Re: File Upload Content Type Verification > >I can't trust the user because this field will be used in the >frontend, which will be an app similar to the django admin, but much >more limited. > >So according to what you said, there is no standard way to do this. >the second solution seems interesting. > >But what if I wanted to restrict to images? > >What's the best way to avoid security issues? Maybe store the file >somewhere hidden would be safer? > > > > >On 24 Set, 13:08, Tom Evans <tevans...@googlemail.com> wrote: >> On Fri, Sep 24, 2010 at 11:28 AM, Federico Capoano >> >> <nemesis.des...@libero.it> wrote: >> > Is there a way we can check if a certain file being uploaded is really >> > what it claims to be? >> > Let's say I want to restrict files to PDF only, then I take a php >> > script and I rename it PDF I can still upload it if using the >> > following custom FileField that I just worked out yesterday: >> >> If you're not willing to trust the user, then you must validate the >> uploaded file. I can think of three straightforward ways to do so: >> >> 1) Use file(1) to determine the true file type. This will be just a >> guess from the opening few bytes of the file, and could be fooled by >> clever manipulation of the uploaded file. >> >> 2) Use ghostscript and it's utilities to validate the pdf file. >> Something along these lines: >> >> try: >> is_pdf = (subprocess.check_call(['pdf2ps', '/path/to/file.pdf', >> '/dev/null']) == 0) >> except subprocessCalledProcessError: >> is_pdf = False >> >> 3) Use a pure python library like pyPdf to examine it. I wouldn't >> recommend this, it's a bit old and crufty. >> >> Cheers >> >> Tom > >-- >You received this message because you are subscribed to the Google Groups >"Django users" group. >To post to this group, send email to django-us...@googlegroups.com. >To unsubscribe from this group, send email to >django-users+unsubscr...@googlegroups.com. >For more options, visit this group at >http://groups.google.com/group/django-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
