From f98f702f2bca9dc460d4ee50b66f808d7efca43d Mon Sep 17 00:00:00 2001 From: Adrian Holovaty Date: Mon, 14 Aug 2006 23:07:43 +0000 Subject: [PATCH] Added paragraph to docs/model-api.txt explicitly pointing out file uploads should be validated, for security reasons git-svn-id: http://code.djangoproject.com/svn/django/trunk@3585 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- docs/model-api.txt | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/model-api.txt b/docs/model-api.txt index 502ceaf7ff..c4d19db3bf 100644 --- a/docs/model-api.txt +++ b/docs/model-api.txt @@ -230,6 +230,14 @@ For example, say your ``MEDIA_ROOT`` is set to ``'/home/media'``, and upload a file on Jan. 15, 2007, it will be saved in the directory ``/home/media/photos/2007/01/15``. +Note that whenever you deal with uploaded files, you should pay close attention +to where you're uploading them and what type of files they are, to avoid +security holes. *Validate all uploaded files* so that you're sure the files are +what you think they are. For example, if you blindly let somebody upload files, +without validation, to a directory that's within your Web server's document +root, then somebody could upload a CGI or PHP script and execute that script by +visiting its URL on your site. Don't allow that. + .. _`strftime formatting`: http://docs.python.org/lib/module-time.html#l2h-1941 ``FilePathField``