限制Django上的文件上載類型

[英]Restrict File Upload types on Django


I am implementing a way to restrict file upload on Django 1.8 running python 3.4

我正在實現一種限制Django 1.8運行python 3.4上的文件上傳的方法

Basically, I want to check the MIMEType of a file when they upload using mimetype. However, when I manipulate the file name from bad_image.exe to bad_image.exe.jpg, the mimetype is still image/jpeg. This could still result in a malicious attack.

基本上,我想在使用mimetype上傳文件時檢查文件的MIMEType。但是,當我將文件名從bad_image.exe操作到bad_image.exe.jpg時,mimetype仍然是image / jpeg。這仍然可能導致惡意攻擊。

Is there a way to actually implement this? I tried magic too but it still does not work.

有沒有辦法實際實現這個?我也嘗試過魔法,但它仍然不起作用。

1 个解决方案

#1


0  

You're right, rename a file .exe to .exe.jpg and content_type output (image/jpeg).

你是對的,將文件.exe重命名為.exe.jpg和content_type輸出(image / jpeg)。

But using python-magic if properly check the file as checking their headers and not the extension, so the output was in my test:

但是使用python-magic如果正確檢查文件是檢查它們的標題而不是擴展名,那么輸出就在我的測試中:

PE32 executable (GUI) Intel 80386, for MS Windows

PE32可執行文件(GUI)Intel 80386,適用於MS Windows

Even so I think the headers may be modified... hope that helps.

即便如此,我認為標題可能會被修改...希望有所幫助。


EDIT: In my test use cleaning a specific attribute

編輯:在我的測試中使用清理特定屬性

class UploadFileForm(forms.ModelForm):
    class Meta:
        model = FileTestUpload
        fields = ('title','file')

    def clean_file(self):

       f = self.cleaned_data.get("file", False)
       ftype = magic.from_buffer(f.read()) # InMemoryUploadedFile 

       print ftype

       return f

It is too simple but it was just to test.

這太簡單了,只是為了測試。


注意!

本站翻译的文章,版权归属于本站,未经许可禁止转摘,转摘请注明本文地址:https://www.itdaan.com/blog/2016/04/14/dd1a7c805f80587de0e28531026bb3dc.html



 
粤ICP备14056181号  © 2014-2021 ITdaan.com