Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Improved warning about file uploads in docs, and added link from secu…

…rity overview page

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16521 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit f5c9c2246e4b01f8731550c2a10241ca0e0148e9 1 parent 569aa34
Luke Plant spookylukey authored
Showing with 9 additions and 1 deletion.
  1. +6 −0 docs/ref/models/fields.txt
  2. +3 −1 docs/topics/security.txt
6 docs/ref/models/fields.txt
View
@@ -577,6 +577,8 @@ The uploaded file's relative URL can be obtained using the
this calls the :meth:`~django.core.files.storage.Storage.url` method of the
underlying :class:`~django.core.files.storage.Storage` class.
+.. _file-upload-security:
+
Note that whenever you deal with uploaded files, you should pay close attention
to where you're uploading them and what type of files they are, to avoid
security holes. *Validate all uploaded files* so that you're sure the files are
@@ -585,6 +587,10 @@ without validation, to a directory that's within your Web server's document
root, then somebody could upload a CGI or PHP script and execute that script by
visiting its URL on your site. Don't allow that.
+Also note that even an uploaded HTML file, since it can be executed by the
+browser (though not by the server), can pose security threats that are
+equivalent to XSS or CSRF attacks.
+
By default, :class:`FileField` instances are
created as ``varchar(100)`` columns in your database. As with other fields, you
can change the maximum length using the :attr:`~CharField.max_length` argument.
4 docs/topics/security.txt
View
@@ -152,7 +152,9 @@ important to properly deploy your application and take advantage of the
security protection of the web server, operating system and other components.
* Make sure that your Python code is outside of the web server's root. This
- will ensure that your Python code is not accidentally served as plain text.
+ will ensure that your Python code is not accidentally served as plain text
+ (or accidentally executed).
+* Take care with any :ref:`user uploaded files <file-upload-security>`.
* Django does not throttle requests to authenticate users. To protect against
brute-force attacks against the authentication system, you may consider
deploying a Django plugin or web server module to throttle these requests.
Please sign in to comment.
Something went wrong with that request. Please try again.