The dangerous, exquisite art of safely handing user-uploaded files: Tom Eastman (was: Does This Scare You?)
Ben Finney
ben+python at benfinney.id.au
Mon Aug 22 10:21:12 EDT 2016
Chris Angelico <rosuav at gmail.com> writes:
> […] to be honest, I wouldn't accept file names from untrusted sources
> on *any* system […]
That's one of the wiser things said in this whole thread.
> I'd use arbitrary numbers or hashes as the file names, and store the
> originally-submitted file name in some sort of metadata repository,
> like a Postgres table.)
The failure modes of using filenames from untrusted input are shockingly
diverse, as Tom Eastman describes:
The scope for abuse is eye-widening: The contents of the file, the
type of the file, the size and encoding of the file, even the *name*
of the file can be a potent vector for attacking your system.
The scariest part? Even the best and most secure web-frameworks
(yes, I'm talking about Django) can't protect you from all of it.
In this talk, I'll show you every scary thing I know about that can
be done with a file upload, and how to protect yourself from --
hopefully -- most of them.
<URL:https://2016.pycon-au.org/schedule/148/view_talk>
Tom presented to us at this year's PyCon AU
<URL:https://www.youtube.com/watch?v=HS8KQbswZkU>.
So yes, filenames from arbitrary sources should be *completely*
untrusted, and never used to access any file on the system. Throw the
entire filename away and make a filename locally, without using any part
of the original name.
--
\ “I saw a sign: ‘Rest Area 25 Miles’. That's pretty big. Some |
`\ people must be really tired.” —Steven Wright |
_o__) |
Ben Finney
More information about the Python-list
mailing list