Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Browse files

Improved warning about file uploads in docs, and added link from secu…

…rity overview page

git-svn-id: bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit f5c9c2246e4b01f8731550c2a10241ca0e0148e9 1 parent 569aa34
@spookylukey spookylukey authored
Showing with 9 additions and 1 deletion.
  1. +6 −0 docs/ref/models/fields.txt
  2. +3 −1 docs/topics/security.txt
6 docs/ref/models/fields.txt
@@ -577,6 +577,8 @@ The uploaded file's relative URL can be obtained using the
this calls the :meth:`` method of the
underlying :class:`` class.
+.. _file-upload-security:
Note that whenever you deal with uploaded files, you should pay close attention
to where you're uploading them and what type of files they are, to avoid
security holes. *Validate all uploaded files* so that you're sure the files are
@@ -585,6 +587,10 @@ without validation, to a directory that's within your Web server's document
root, then somebody could upload a CGI or PHP script and execute that script by
visiting its URL on your site. Don't allow that.
+Also note that even an uploaded HTML file, since it can be executed by the
+browser (though not by the server), can pose security threats that are
+equivalent to XSS or CSRF attacks.
By default, :class:`FileField` instances are
created as ``varchar(100)`` columns in your database. As with other fields, you
can change the maximum length using the :attr:`~CharField.max_length` argument.
4 docs/topics/security.txt
@@ -152,7 +152,9 @@ important to properly deploy your application and take advantage of the
security protection of the web server, operating system and other components.
* Make sure that your Python code is outside of the web server's root. This
- will ensure that your Python code is not accidentally served as plain text.
+ will ensure that your Python code is not accidentally served as plain text
+ (or accidentally executed).
+* Take care with any :ref:`user uploaded files <file-upload-security>`.
* Django does not throttle requests to authenticate users. To protect against
brute-force attacks against the authentication system, you may consider
deploying a Django plugin or web server module to throttle these requests.

0 comments on commit f5c9c22

Please sign in to comment.
Something went wrong with that request. Please try again.