Improved warning about file uploads in docs, and added link from security overview page

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16521 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Luke Plant 2011-07-06 23:44:54 +00:00
parent 569aa34ea5
commit f5c9c2246e
2 changed files with 9 additions and 1 deletions

View File

@ -577,6 +577,8 @@ The uploaded file's relative URL can be obtained using the
this calls the :meth:`~django.core.files.storage.Storage.url` method of the this calls the :meth:`~django.core.files.storage.Storage.url` method of the
underlying :class:`~django.core.files.storage.Storage` class. underlying :class:`~django.core.files.storage.Storage` class.
.. _file-upload-security:
Note that whenever you deal with uploaded files, you should pay close attention Note that whenever you deal with uploaded files, you should pay close attention
to where you're uploading them and what type of files they are, to avoid to where you're uploading them and what type of files they are, to avoid
security holes. *Validate all uploaded files* so that you're sure the files are security holes. *Validate all uploaded files* so that you're sure the files are
@ -585,6 +587,10 @@ without validation, to a directory that's within your Web server's document
root, then somebody could upload a CGI or PHP script and execute that script by root, then somebody could upload a CGI or PHP script and execute that script by
visiting its URL on your site. Don't allow that. visiting its URL on your site. Don't allow that.
Also note that even an uploaded HTML file, since it can be executed by the
browser (though not by the server), can pose security threats that are
equivalent to XSS or CSRF attacks.
By default, :class:`FileField` instances are By default, :class:`FileField` instances are
created as ``varchar(100)`` columns in your database. As with other fields, you created as ``varchar(100)`` columns in your database. As with other fields, you
can change the maximum length using the :attr:`~CharField.max_length` argument. can change the maximum length using the :attr:`~CharField.max_length` argument.

View File

@ -152,7 +152,9 @@ important to properly deploy your application and take advantage of the
security protection of the web server, operating system and other components. security protection of the web server, operating system and other components.
* Make sure that your Python code is outside of the web server's root. This * Make sure that your Python code is outside of the web server's root. This
will ensure that your Python code is not accidentally served as plain text. will ensure that your Python code is not accidentally served as plain text
(or accidentally executed).
* Take care with any :ref:`user uploaded files <file-upload-security>`.
* Django does not throttle requests to authenticate users. To protect against * Django does not throttle requests to authenticate users. To protect against
brute-force attacks against the authentication system, you may consider brute-force attacks against the authentication system, you may consider
deploying a Django plugin or web server module to throttle these requests. deploying a Django plugin or web server module to throttle these requests.