On 2010-10-06, geekbuntu <gmi...@gmail.com> wrote:
> in general, what are things i would want to 'watch for/guard against'
> in a file upload situation?
This question has virtually nothing to do with Python, which means you
may not get very good answers.
> my checklist so far is basically to check the extension - ensure it
> has 3 places, ensure it's in the allowed list (like jpg gif etc...).
This strikes me as 100% irrelevant. Who cares what the extension is?
> not sure what else i could do to guard against anything bad
> happening. maybe the file name itself could cause greif?
Obvious things:
* File name causes files to get created outside some particular
upload directory ("../foo")
* File name has spaces
* Crazy stuff like null bytes in file name
* File names which might break things if a user carelessly interacts
with them, such as "foo.jpg /etc/passwd bar.jpg" (all one file name
including two spaces).
Basically, the key question is, could a hostile user come up with
input to your script which could break something?
-s
--
Copyright 2010, all wrongs reversed. Peter Seebach / usenet-nos...@seebs.net
http://www.seebs.net/log/ <-- lawsuits, religion, and funny pictures
http://en.wikipedia.org/wiki/Fair_Game_(Scientology) <-- get educated!
I am not speaking for my employer, although they do rent some of my opinions.
--
http://mail.python.org/mailman/listinfo/python-list
