验证Django中的已上传文件 [英] Validating Uploaded Files in Django
问题描述
我正在工作的Django应用程序有一个事件模型。 事件可能有相关的照片,静态html文件和pdf文件。
A Django app that I am working has an Event model. An Event may have associated photos, static html files and pdf files.
我想允许信任的用户上传这些文件,但我对安全性感到警惕,特别是阅读了以下在Django文档(链接)。
I would like to allow trusted users to upload these files, but I am wary about security, especially having read the following in the Django docs (link).
请注意,只要处理
上传的文件,您应该支付关闭
注意你上传
他们和他们是什么类型的文件,
以避免安全漏洞。验证所有
上传的文件,以确保
文件是您认为的。对于
示例,如果您盲目地让某人
将文件(无验证)上传到您的Web
服务器的文档根目录中的
目录,那么有人
可以上传CGI或PHP脚本和
通过访问您的站点上的
URL来执行该脚本。不要这样做。
Note that whenever you deal with uploaded files, you should pay close attention to where you're uploading them and what type of files they are, to avoid security holes. Validate all uploaded files so that you're sure the files are what you think they are. For example, if you blindly let somebody upload files, without validation, to a directory that's within your Web server's document root, then somebody could upload a CGI or PHP script and execute that script by visiting its URL on your site. Don't allow that.
如何验证不同类型的文件?我有兴趣听到任何人处理这种事情的经验,或链接进一步阅读。我有一个直觉,html文件可能太冒险了,在这种情况下,我将限制上传权限给管理员。
How can I validate the different types of files? I would be interested to hear anyone's experience of dealing with this kind of thing, or links for further reading. I have a gut feeling that html files may be too risky, in which case I'll restrict upload permissions to the administrator.
推荐答案
所有答案都集中在验证文件。这是非常不可能的。
All the answers are focusing on validating files. This is pretty much impossible.
Django开发人员并不要求您验证文件是否可以执行为 cgi文件。他们只是告诉你不要把他们放在他们将执行的地方。
The Django devs aren't asking you to validate whether files can be executed as cgi files. They are just telling you not to put them in a place where they will be executed.
你应该把所有Django的东西放在一个特别的Django目录。那个Django代码目录不应该包含静态内容。
You should put all Django stuff in a specially Django directory. That Django code directory should not contain static content. Don't put user files in the Django source repository.
如果您使用Apache2,请查看基本的cgi教程: http://httpd.apache.org/docs/2.0/howto/cgi.html
If you are using Apache2, check out the basic cgi tutorial: http://httpd.apache.org/docs/2.0/howto/cgi.html
Apache2可能会设置为运行 ScriptAlias 文件夹中的任何文件。 不要将用户文件放在 / cgi-bin / 或 / usr / local / apache2 / cgi-bin / 文件夹
Apache2 might be setup to run any files in the ScriptAlias folder. Don't put user files in the /cgi-bin/ or /usr/local/apache2/cgi-bin/ folders.
Apache2可能设置为服务器cgi文件,具体取决于 AddHandler cgi-script 设置。 不要让用户提交带有 .cgi 或 .pl 的扩展名的文件。
Apache2 might be set to server cgi files, depending on the AddHandler cgi-script settings. Don't let the users submit files with extensions like .cgi or .pl.
但是,您需要清理用户提交的文件,以便安全地在其他客户端的计算机上运行。 提交的HTML对其他用户是不安全的。不会伤害您的服务器。您的服务器将只是向任何请求者吐出来。获取一个HTML消毒剂。
However, you do need to sanitize user submitted files so they are safe to run on other clients' machines. Submitted HTML is unsafe to other users. It won't hurt your server. Your server will just spit it back at whoever requests it. Get a HTML sanitizer.
此外, SVG可能不安全。过去有错误。 SVG是一个带有javascript的XML文档,因此可能是恶意的。
Also, SVG may be unsafe. It's had bugs in the past. SVG is an XML document with javascript in it, so it can be malicious.
PDF是...棘手的您可以将其转换为图像(如果您真的需要),或提供图像预览(并让用户自行下载风险),但对于尝试使用它的人来说,这将是一种痛苦。
PDF is ... tricky. You could convert it to an image (if you really had to), or provide an image preview (and let users download at their own risk), but it would be a pain for people trying to use it.
考虑一系列文件的白名单。嵌入在gif,jpeg或png文件中的病毒将看起来像是一个损坏的图片(或无法显示)。如果您想要偏执,请使用PIL将它们全部转换为标准格式(您也可以检查大小)。消毒的HTML应该是OK的(剥离脚本标签不是火箭科学)。如果消毒是吸吮循环(或者您只是谨慎),可以把它放在一个单独的服务器上,我猜。
Consider a white-list of files that are OK. A virus embedded in a gif, jpeg or png file will just look like a corrupt picture (or fail to display). If you want to be paranoid, convert them all to a standard format using PIL (hey, you could also check sizes). Sanitized HTML should be OK (stripping out script tags isn't rocket science). If the sanitization is sucking cycles (or you're just cautious), you could put it on a separate server, I guess.
这篇关于验证Django中的已上传文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
