mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 01:25:32 +00:00
Code Issues 32 Releases Wiki Activity

Added paragraph to docs/model-api.txt explicitly pointing out file uploads should be validated, for security reasons

Browse Source 
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3585 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Adrian Holovaty
2006-08-14 23:07:43 +00:00
parent d07c2e9111
commit f98f702f2b
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/model-api.txt
View File

@@ -230,6 +230,14 @@ For example, say your ``MEDIA_ROOT`` is set to ``'/home/media'``, and
upload a file on Jan. 15, 2007, it will be saved in the directory upload a file on Jan. 15, 2007, it will be saved in the directory
``/home/media/photos/2007/01/15``. ``/home/media/photos/2007/01/15``.
Note that whenever you deal with uploaded files, you should pay close attention
to where you're uploading them and what type of files they are, to avoid
security holes. *Validate all uploaded files* so that you're sure the files are
what you think they are. For example, if you blindly let somebody upload files,
without validation, to a directory that's within your Web server's document
root, then somebody could upload a CGI or PHP script and execute that script by
visiting its URL on your site. Don't allow that.
.. _`strftime formatting`: http://docs.python.org/lib/module-time.html#l2h-1941 .. _`strftime formatting`: http://docs.python.org/lib/module-time.html#l2h-1941
``FilePathField`` ``FilePathField``