suggestions please "what should i watch for/guard against' in a file upload situation?"

Seebs usenet-nospam at seebs.net
Wed Oct 6 13:14:17 EDT 2010


On 2010-10-06, geekbuntu <gmilby at gmail.com> wrote:
> in general, what are things i would want to 'watch for/guard against'
> in a file upload situation?

This question has virtually nothing to do with Python, which means you
may not get very good answers.

> my checklist so far is basically to check the extension - ensure it
> has 3 places, ensure it's in the allowed list (like jpg gif etc...).

This strikes me as 100% irrelevant.  Who cares what the extension is?

> not sure what else i could do to guard against anything bad
> happening.  maybe the file name itself could cause greif?

Obvious things:

* File name causes files to get created outside some particular
  upload directory ("../foo")
* File name has spaces
* Crazy stuff like null bytes in file name
* File names which might break things if a user carelessly interacts
  with them, such as "foo.jpg /etc/passwd bar.jpg" (all one file name
  including two spaces).

Basically, the key question is, could a hostile user come up with
input to your script which could break something?

-s
-- 
Copyright 2010, all wrongs reversed.  Peter Seebach / usenet-nospam at seebs.net
http://www.seebs.net/log/ <-- lawsuits, religion, and funny pictures
http://en.wikipedia.org/wiki/Fair_Game_(Scientology) <-- get educated!
I am not speaking for my employer, although they do rent some of my opinions.



More information about the Python-list mailing list