suggestions please "what should i watch for/guard against' in a file upload situation?"

Terry Reedy tjreedy at
Thu Oct 7 00:19:25 CEST 2010

On 10/6/2010 12:02 PM, geekbuntu wrote:
> in general, what are things i would want to 'watch for/guard against'
> in a file upload situation?
> i have my file upload working (in the self-made framework @ work
> without any concession for multipart form uploads), but was told to
> make sure it's cleansed and cannot do any harm inside the system.
> my checklist so far is basically to check the extension - ensure it
> has 3 places, ensure it's in the allowed list (like jpg gif etc...).
> not sure what else i could do to guard against anything bad
> happening.  maybe the file name itself could cause greif?
> not sure but any suggestions or examples are most welcome :)

I am not sure whether anyone mentioned limiting the file size, checking 
the incoming header, and aborting an upload if it goes over anyway. Most 
sites do not want 10 gigabyte files ;-).

Terry Jan Reedy

More information about the Python-list mailing list