diff options
author | Adrian Holovaty <adrian@holovaty.com> | 2006-08-14 23:07:43 +0000 |
---|---|---|
committer | Adrian Holovaty <adrian@holovaty.com> | 2006-08-14 23:07:43 +0000 |
commit | f98f702f2bca9dc460d4ee50b66f808d7efca43d (patch) | |
tree | d5d2fb0b6d094c3b31a0dafcc4f8d86153832c41 | |
parent | d07c2e91117ec80464195db63e7a0030d178b05f (diff) | |
download | django-f98f702f2bca9dc460d4ee50b66f808d7efca43d.tar.gz |
Added paragraph to docs/model-api.txt explicitly pointing out file uploads should be validated, for security reasons
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3585 bcc190cf-cafb-0310-a4f2-bffc1f526a37
-rw-r--r-- | docs/model-api.txt | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/model-api.txt b/docs/model-api.txt index 502ceaf7ff..c4d19db3bf 100644 --- a/docs/model-api.txt +++ b/docs/model-api.txt @@ -230,6 +230,14 @@ For example, say your ``MEDIA_ROOT`` is set to ``'/home/media'``, and upload a file on Jan. 15, 2007, it will be saved in the directory ``/home/media/photos/2007/01/15``. +Note that whenever you deal with uploaded files, you should pay close attention +to where you're uploading them and what type of files they are, to avoid +security holes. *Validate all uploaded files* so that you're sure the files are +what you think they are. For example, if you blindly let somebody upload files, +without validation, to a directory that's within your Web server's document +root, then somebody could upload a CGI or PHP script and execute that script by +visiting its URL on your site. Don't allow that. + .. _`strftime formatting`: http://docs.python.org/lib/module-time.html#l2h-1941 ``FilePathField`` |