suggestions please "what should i watch for/guard against' in a file upload situation?"

Tim Chase python.list at tim.thechases.com
Wed Oct 6 21:07:12 CEST 2010


On 10/06/10 12:14, Seebs wrote:
>> not sure what else i could do to guard against anything bad
>> happening.  maybe the file name itself could cause greif?
>
> Obvious things:
>
> * File name causes files to get created outside some particular
>    upload directory ("../foo")
> * File name has spaces
> * Crazy stuff like null bytes in file name
> * File names which might break things if a user carelessly interacts
>    with them, such as "foo.jpg /etc/passwd bar.jpg" (all one file name
>    including two spaces).

And depending on the system, Win32 chokes on filenames like 
"nul", "con", "com1"..."comN", "lpt1"..."lptN", and a bunch of 
others.

-tkc







More information about the Python-list mailing list