Thanks. I'm concerned about the possibility of uploading and executing a script on the server. Just this. I think I can avoid this by hiding the file somewhere behind the public folder so the content is not accessible via http.
On 24 Set, 13:31, Tom Evans <tevans...@googlemail.com> wrote: > On Fri, Sep 24, 2010 at 12:23 PM, Federico Capoano > > <nemesis.des...@libero.it> wrote: > > I can't trust the user because this field will be used in the > > frontend, which will be an app similar to the django admin, but much > > more limited. > > > So according to what you said, there is no standard way to do this. > > the second solution seems interesting. > > > But what if I wanted to restrict to images? > > > What's the best way to avoid security issues? Maybe store the file > > somewhere hidden would be safer? > > Depends what you mean by 'standard'. I would consider it standard to > validate user supplied input, and that process is the same regardless > of filetype, the only thing that changes is how you validate the > input. > > For images, you can simply use a ImageField, which uses PIL to > validate that the uploaded file is an image file supported by PIL. > > I don't understand what security issues you are referring to. > > Cheers > > Tom -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
