tags:

views:

1221

answers:

1
+1  Q: 

Django file upload input validation and security

I'm creating a very simple django upload application but I want to make it as secure as possible. This is app is going to be completely one way, IE. anybody who uploads a file will never have to retrieve it. So far I've done the following:

  1. Disallow certain file extensions (.php, .html, .py, .rb, .pl, .cgi, .htaccess, etc)
  2. Set a maximum file size limit and file name character length limit.
  3. Password protected the directory that the files are uploaded to (with .htaccess owned by root so the web server cannot possibly overwrite it)

Assuming that apache and mod_python are on the front end of this and that apache itself has been secured, are there any other "best practice" things I should do or consider to protect my application?

Thanks in advance.

+2  A: 

Disallowing a file extension is -- potentially -- a waste of time. A unix server doesn't use the extension -- it uses ownership and permissions.

When accepting an upload, you will often rename the file to prevent it being misused. Uploaded files should be simply named "upload_xxx" with the "xxx" being a key to some database record that provides the claimed name and data type.

You have to actually read the file and confirm that the content of the file is what someone claims it is.

For example, if they claim to upload a .JPG, you have to actually read the file to be sure it's a JPEG, not an .EXE.

S.Lott  2009-07-08 01:17:23
OT, but S. Lott, will you be at the Boston Dev Days? I would be interested in hearing your thoughts and musings on Python and Django.
Thomas Owens  2009-07-08 01:25:03
Thanks for the information, that's a good point about verifying file type.The reasoning behind disallowing the extensions isn't necessarily to disallow that file type specifically, but to make sure that if the user were to somehow get access to that file via apache, that apache itself wouldn't try to execute that file. IE. if they upload a .php script and then browse to http://example.com/upload/files/user_uploaded_script.php, apache would run that .php script as if it were a normal php page.
seiryu  2009-07-08 16:29:52
Great ideas, thank you very much!
seiryu  2009-07-08 17:25:52

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security