Improved warning about file uploads in docs, and added link from security overview page
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16521 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
569aa34ea5
commit
f5c9c2246e
|
@ -577,6 +577,8 @@ The uploaded file's relative URL can be obtained using the
|
||||||
this calls the :meth:`~django.core.files.storage.Storage.url` method of the
|
this calls the :meth:`~django.core.files.storage.Storage.url` method of the
|
||||||
underlying :class:`~django.core.files.storage.Storage` class.
|
underlying :class:`~django.core.files.storage.Storage` class.
|
||||||
|
|
||||||
|
.. _file-upload-security:
|
||||||
|
|
||||||
Note that whenever you deal with uploaded files, you should pay close attention
|
Note that whenever you deal with uploaded files, you should pay close attention
|
||||||
to where you're uploading them and what type of files they are, to avoid
|
to where you're uploading them and what type of files they are, to avoid
|
||||||
security holes. *Validate all uploaded files* so that you're sure the files are
|
security holes. *Validate all uploaded files* so that you're sure the files are
|
||||||
|
@ -585,6 +587,10 @@ without validation, to a directory that's within your Web server's document
|
||||||
root, then somebody could upload a CGI or PHP script and execute that script by
|
root, then somebody could upload a CGI or PHP script and execute that script by
|
||||||
visiting its URL on your site. Don't allow that.
|
visiting its URL on your site. Don't allow that.
|
||||||
|
|
||||||
|
Also note that even an uploaded HTML file, since it can be executed by the
|
||||||
|
browser (though not by the server), can pose security threats that are
|
||||||
|
equivalent to XSS or CSRF attacks.
|
||||||
|
|
||||||
By default, :class:`FileField` instances are
|
By default, :class:`FileField` instances are
|
||||||
created as ``varchar(100)`` columns in your database. As with other fields, you
|
created as ``varchar(100)`` columns in your database. As with other fields, you
|
||||||
can change the maximum length using the :attr:`~CharField.max_length` argument.
|
can change the maximum length using the :attr:`~CharField.max_length` argument.
|
||||||
|
|
|
@ -152,7 +152,9 @@ important to properly deploy your application and take advantage of the
|
||||||
security protection of the web server, operating system and other components.
|
security protection of the web server, operating system and other components.
|
||||||
|
|
||||||
* Make sure that your Python code is outside of the web server's root. This
|
* Make sure that your Python code is outside of the web server's root. This
|
||||||
will ensure that your Python code is not accidentally served as plain text.
|
will ensure that your Python code is not accidentally served as plain text
|
||||||
|
(or accidentally executed).
|
||||||
|
* Take care with any :ref:`user uploaded files <file-upload-security>`.
|
||||||
* Django does not throttle requests to authenticate users. To protect against
|
* Django does not throttle requests to authenticate users. To protect against
|
||||||
brute-force attacks against the authentication system, you may consider
|
brute-force attacks against the authentication system, you may consider
|
||||||
deploying a Django plugin or web server module to throttle these requests.
|
deploying a Django plugin or web server module to throttle these requests.
|
||||||
|
|
Loading…
Reference in New Issue