On 2010-10-06, Diez B. Roggisch <de...@web.de> wrote: > Seebs <usenet-nos...@seebs.net> writes: >> On 2010-10-06, geekbuntu <gmi...@gmail.com> wrote: >>> in general, what are things i would want to 'watch for/guard against' >>> in a file upload situation?
>> This question has virtually nothing to do with Python, which means you >> may not get very good answers. > In contrast to "comp.super.web.experts"? There are quite a few people > with web-experience here I'd say. Oh, certainly. But in general, I try to ask questions in a group focused on their domain, rather than merely a group likely to contain people who would for other reasons have the relevant experience. I'm sure that a great number of Python programmers have experience with sex, that doesn't make this a great newsgroup for sex tips. (Well, maybe it does.) > Given that most people are not computer savvy (always remember, the > default for windows is to hide extensions..), using it client-side can > be valuable to prevent long uploads that eventuall need to be rejected > otherwise (no mom, you can't upload word-docs as profile pictures). That's a good point. On the other hand, there's a corollary; you may want to look at the contents of the file in case they're not really what they're supposed to be. > Your strange focus on file-names that are pure meta information is a > little bit concerning... If you're uploading files "into a directory", then it is quite likely that you're getting file names from somewhere. Untrusted file names are a much more effective attack vector, in most cases, than EXIF information. > Certainly advice. But that's less focussed on filenames or file-uploads, but > on the whole subject of processing HTTP-requestst. Which would make a > point for *not* using a home-grown framework. Well, yeah. I was assuming that the home-grown framework was mandatory for some reason. Possibly a very important reason, such as "otherwise we won't have written it ourselves". -s -- Copyright 2010, all wrongs reversed. Peter Seebach / usenet-nos...@seebs.net http://www.seebs.net/log/ <-- lawsuits, religion, and funny pictures http://en.wikipedia.org/wiki/Fair_Game_(Scientology) <-- get educated! I am not speaking for my employer, although they do rent some of my opinions. -- http://mail.python.org/mailman/listinfo/python-list
