p31829507
/
django
mirror of https://github.com/django/django.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Improved warning about file uploads in docs, and added link from security overview page 

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16521 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Luke Plant 2011-07-06 23:44:54 +00:00
parent 569aa34ea5
commit f5c9c2246e
2 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/ref/models/fields.txt
View File

@ -577,6 +577,8 @@ The uploaded file's relative URL can be obtained using the
this calls the :meth:`~django.core.files.storage.Storage.url` method of the
underlying :class:`~django.core.files.storage.Storage` class.
.. _file-upload-security:
Note that whenever you deal with uploaded files, you should pay close attention
to where you're uploading them and what type of files they are, to avoid
security holes. *Validate all uploaded files* so that you're sure the files are
@ -585,6 +587,10 @@ without validation, to a directory that's within your Web server's document
root, then somebody could upload a CGI or PHP script and execute that script by
visiting its URL on your site. Don't allow that.
Also note that even an uploaded HTML file, since it can be executed by the
browser (though not by the server), can pose security threats that are
equivalent to XSS or CSRF attacks.
By default, :class:`FileField` instances are
created as ``varchar(100)`` columns in your database. As with other fields, you
can change the maximum length using the :attr:`~CharField.max_length` argument.

4
docs/topics/security.txt
View File

@ -152,7 +152,9 @@ important to properly deploy your application and take advantage of the
security protection of the web server, operating system and other components.
* Make sure that your Python code is outside of the web server's root. This
will ensure that your Python code is not accidentally served as plain text.
will ensure that your Python code is not accidentally served as plain text
(or accidentally executed).
* Take care with any :ref:`user uploaded files <file-upload-security>`.
* Django does not throttle requests to authenticate users. To protect against
brute-force attacks against the authentication system, you may consider
deploying a Django plugin or web server module to throttle these requests.