I am implementing a way to restrict file upload on Django 1.8 running python 3.4
我正在實現一種限制Django 1.8運行python 3.4上的文件上傳的方法
Basically, I want to check the MIMEType of a file when they upload using mimetype
. However, when I manipulate the file name from bad_image.exe
to bad_image.exe.jpg
, the mimetype is still image/jpeg
. This could still result in a malicious attack.
基本上,我想在使用mimetype上傳文件時檢查文件的MIMEType。但是,當我將文件名從bad_image.exe操作到bad_image.exe.jpg時,mimetype仍然是image / jpeg。這仍然可能導致惡意攻擊。
Is there a way to actually implement this? I tried magic
too but it still does not work.
有沒有辦法實際實現這個?我也嘗試過魔法,但它仍然不起作用。
0
You're right, rename a file .exe
to .exe.jpg
and content_type
output (image/jpeg)
.
你是對的,將文件.exe重命名為.exe.jpg和content_type輸出(image / jpeg)。
But using python-magic if properly check the file as checking their headers and not the extension, so the output was in my test:
但是使用python-magic如果正確檢查文件是檢查它們的標題而不是擴展名,那么輸出就在我的測試中:
PE32 executable (GUI) Intel 80386, for MS Windows
PE32可執行文件(GUI)Intel 80386,適用於MS Windows
Even so I think the headers may be modified... hope that helps.
即便如此,我認為標題可能會被修改...希望有所幫助。
EDIT: In my test use cleaning a specific attribute
編輯:在我的測試中使用清理特定屬性
class UploadFileForm(forms.ModelForm):
class Meta:
model = FileTestUpload
fields = ('title','file')
def clean_file(self):
f = self.cleaned_data.get("file", False)
ftype = magic.from_buffer(f.read()) # InMemoryUploadedFile
print ftype
return f
It is too simple but it was just to test.
這太簡單了,只是為了測試。
本站翻译的文章,版权归属于本站,未经许可禁止转摘,转摘请注明本文地址:https://www.itdaan.com/blog/2016/04/14/dd1a7c805f80587de0e28531026bb3dc.html。