Brilliant! Thanks (John) for following through. I had the same questions
with the same responses you had to your answers. And I also don't have a
form that starts the view. I have an image type that is not common (but is
a standard), so hoped that the documentation comment "validates that the
uploaded object is a valid image" would be I could add a method so
validate. I think you got enough in your responses to either let me do
that or at least prove I can use the vanilla mechanism to do so. (I see
this thread was long ago and I'm now using django 2.0 so it could be OBE)
On Monday, March 22, 2010 at 4:25:00 PM UTC-7, john2095 wrote:
>
> Thanks Tom. I don't know where it comes from but it seems deeply
> ingrained for me to expect the model to enforce the atomicity/
> integrity of its objects.
>
> Just for anyone who stumbles over this thread and wants to know how it
> ends...
>
> In this application I'm not using a form (uploadify is a flash-based
> file sender) but I can still take advantage of the django.forms
> validation routines by invoking ImageField without a form. This seems
> to work:
>
> def upload(request):
> from django.forms import ImageField, ValidationError
> try:
> photo = ImageField().clean(request.FILES['Filedata'])
> except ValidationError:
> return HttpResponse("I don't think that's an image.")
>
>
> On Mar 22, 9:04 pm, Tom Evans <tevans...@googlemail.com> wrote:
> > On Mon, Mar 22, 2010 at 6:51 AM, john2095 <john...@pobox.com> wrote:
> > > But does this all amount to an expectation that it will restrict the
> > > upload to an image??
> >
> > > I've got this in my model:
> >
> > > class Photo(models.Model):
> > > image = models.ImageField(upload_to='photos')
> >
> > > and this in my view:
> > > try:
> > > p = Photo()
> > > p.image = request.FILES['Filedata']
> > > p.save()
> > > return HttpResponse('OK')
> > > ...
> >
> > > Yet if I do this:
> >
> > > curl -F Fileda...@nasty.exehttp://mysite/photo/upload/
> >
> > > It seems quite happy to save the .exe
> >
> > > Can someone please confirm the same test result? I wouldn't like to
> > > say "security advisory" prematurely.
> >
> > > Thanks.
> >
> > Models don't have validation, forms have validation. If it passed
> > through a forms.ImageField it would get rejected as invalid.
> >
> > Cheers
> >
> > Tom
>
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/1a681963-c127-4e2c-82dc-c709e28a09f7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
