suggestions please "what should i watch for/guard against' in a file upload situation?"

Diez B. Roggisch deets at web.de
Wed Oct 6 21:17:04 CEST 2010


Seebs <usenet-nospam at seebs.net> writes:

> On 2010-10-06, geekbuntu <gmilby at gmail.com> wrote:
>> in general, what are things i would want to 'watch for/guard against'
>> in a file upload situation?
>
> This question has virtually nothing to do with Python, which means you
> may not get very good answers.

In contrast to "comp.super.web.experts"? There are quite a few people
with web-experience here I'd say. 

>
>> my checklist so far is basically to check the extension - ensure it
>> has 3 places, ensure it's in the allowed list (like jpg gif etc...).
>
> This strikes me as 100% irrelevant.  Who cares what the extension is?

Given that most people are not computer savvy (always remember, the
default for windows is to hide extensions..), using it client-side can
be valuable to prevent long uploads that eventuall need to be rejected
otherwise (no mom, you can't upload word-docs as profile pictures).
>
>> not sure what else i could do to guard against anything bad
>> happening.  maybe the file name itself could cause greif?
>
> Obvious things:
>
> * File name causes files to get created outside some particular
>   upload directory ("../foo")

Or rather just store that as a simple meta-info, as allowing even the
best-intended "me-in-cool-pose.jpg" to overwrite that of the one other
cool guy using the website isn't gonna fly anyway.

> * File name has spaces

See above, but other then that - everything but shell-scripts deal well
with it.

> * Crazy stuff like null bytes in file name
> * File names which might break things if a user carelessly interacts
>   with them, such as "foo.jpg /etc/passwd bar.jpg" (all one file name
>   including two spaces).

Your strange focus on file-names that are pure meta information is a
little bit concerning... 
>
> Basically, the key question is, could a hostile user come up with
> input to your script which could break something?

Certainly advice. But that's less focussed on filenames or file-uploads, but
on the whole subject of processing HTTP-requestst. Which would make a
point for *not* using a home-grown framework.

But then, Python is a bit less likely to suffer from buffer overflow or 
similar kind of attacks.

Diez



More information about the Python-list mailing list