Skip to content
Browse files

Added paragraph to docs/model-api.txt explicitly pointing out file up…

…loads should be validated, for security reasons

git-svn-id: http://code.djangoproject.com/svn/django/trunk@3585 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
1 parent d07c2e9 commit f98f702f2bca9dc460d4ee50b66f808d7efca43d @adrianholovaty adrianholovaty committed Aug 14, 2006
Showing with 8 additions and 0 deletions.
  1. +8 −0 docs/model-api.txt
View
8 docs/model-api.txt
@@ -230,6 +230,14 @@ For example, say your ``MEDIA_ROOT`` is set to ``'/home/media'``, and
upload a file on Jan. 15, 2007, it will be saved in the directory
``/home/media/photos/2007/01/15``.
+Note that whenever you deal with uploaded files, you should pay close attention
+to where you're uploading them and what type of files they are, to avoid
+security holes. *Validate all uploaded files* so that you're sure the files are
+what you think they are. For example, if you blindly let somebody upload files,
+without validation, to a directory that's within your Web server's document
+root, then somebody could upload a CGI or PHP script and execute that script by
+visiting its URL on your site. Don't allow that.
+
.. _`strftime formatting`: http://docs.python.org/lib/module-time.html#l2h-1941
``FilePathField``

0 comments on commit f98f702

Please sign in to comment.
Something went wrong with that request. Please try again.