Author: lukeplant Date: 2011-07-06 16:44:54 -0700 (Wed, 06 Jul 2011) New Revision: 16521
Modified: django/trunk/docs/ref/models/fields.txt django/trunk/docs/topics/security.txt Log: Improved warning about file uploads in docs, and added link from security overview page Modified: django/trunk/docs/ref/models/fields.txt =================================================================== --- django/trunk/docs/ref/models/fields.txt 2011-07-06 23:25:30 UTC (rev 16520) +++ django/trunk/docs/ref/models/fields.txt 2011-07-06 23:44:54 UTC (rev 16521) @@ -577,6 +577,8 @@ this calls the :meth:`~django.core.files.storage.Storage.url` method of the underlying :class:`~django.core.files.storage.Storage` class. +.. _file-upload-security: + Note that whenever you deal with uploaded files, you should pay close attention to where you're uploading them and what type of files they are, to avoid security holes. *Validate all uploaded files* so that you're sure the files are @@ -585,6 +587,10 @@ root, then somebody could upload a CGI or PHP script and execute that script by visiting its URL on your site. Don't allow that. +Also note that even an uploaded HTML file, since it can be executed by the +browser (though not by the server), can pose security threats that are +equivalent to XSS or CSRF attacks. + By default, :class:`FileField` instances are created as ``varchar(100)`` columns in your database. As with other fields, you can change the maximum length using the :attr:`~CharField.max_length` argument. Modified: django/trunk/docs/topics/security.txt =================================================================== --- django/trunk/docs/topics/security.txt 2011-07-06 23:25:30 UTC (rev 16520) +++ django/trunk/docs/topics/security.txt 2011-07-06 23:44:54 UTC (rev 16521) @@ -152,7 +152,9 @@ security protection of the web server, operating system and other components. * Make sure that your Python code is outside of the web server's root. This - will ensure that your Python code is not accidentally served as plain text. + will ensure that your Python code is not accidentally served as plain text + (or accidentally executed). +* Take care with any :ref:`user uploaded files <file-upload-security>`. * Django does not throttle requests to authenticate users. To protect against brute-force attacks against the authentication system, you may consider deploying a Django plugin or web server module to throttle these requests. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com. To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.
