From f5c9c2246e4b01f8731550c2a10241ca0e0148e9 Mon Sep 17 00:00:00 2001 From: Luke Plant Date: Wed, 6 Jul 2011 23:44:54 +0000 Subject: [PATCH] Improved warning about file uploads in docs, and added link from security overview page git-svn-id: http://code.djangoproject.com/svn/django/trunk@16521 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- docs/ref/models/fields.txt | 6 ++++++ docs/topics/security.txt | 4 +++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/ref/models/fields.txt b/docs/ref/models/fields.txt index 7765f2f8eb..95f01e640a 100644 --- a/docs/ref/models/fields.txt +++ b/docs/ref/models/fields.txt @@ -577,6 +577,8 @@ The uploaded file's relative URL can be obtained using the this calls the :meth:`~django.core.files.storage.Storage.url` method of the underlying :class:`~django.core.files.storage.Storage` class. +.. _file-upload-security: + Note that whenever you deal with uploaded files, you should pay close attention to where you're uploading them and what type of files they are, to avoid security holes. *Validate all uploaded files* so that you're sure the files are @@ -585,6 +587,10 @@ without validation, to a directory that's within your Web server's document root, then somebody could upload a CGI or PHP script and execute that script by visiting its URL on your site. Don't allow that. +Also note that even an uploaded HTML file, since it can be executed by the +browser (though not by the server), can pose security threats that are +equivalent to XSS or CSRF attacks. + By default, :class:`FileField` instances are created as ``varchar(100)`` columns in your database. As with other fields, you can change the maximum length using the :attr:`~CharField.max_length` argument. diff --git a/docs/topics/security.txt b/docs/topics/security.txt index 3940c0836a..02847bbb65 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -152,7 +152,9 @@ important to properly deploy your application and take advantage of the security protection of the web server, operating system and other components. * Make sure that your Python code is outside of the web server's root. This - will ensure that your Python code is not accidentally served as plain text. + will ensure that your Python code is not accidentally served as plain text + (or accidentally executed). +* Take care with any :ref:`user uploaded files `. * Django does not throttle requests to authenticate users. To protect against brute-force attacks against the authentication system, you may consider deploying a Django plugin or web server module to throttle these requests.