Added paragraph to docs/model-api.txt explicitly pointing out file uploads should be validated, for security reasons

git-svn-id: http://code.djangoproject.com/svn/django/trunk@3585 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-10-31 09:41:08 +00:00 · 2006-08-14 23:07:43 +00:00
parent d07c2e9111
commit f98f702f2b
1 changed files with 8 additions and 0 deletions
--- a/docs/model-api.txt
+++ b/docs/model-api.txt
@@ -230,6 +230,14 @@ For example, say your ``MEDIA_ROOT`` is set to ``'/home/media'``, and
 upload a file on Jan. 15, 2007, it will be saved in the directory
 ``/home/media/photos/2007/01/15``.

+Note that whenever you deal with uploaded files, you should pay close attention
+to where you're uploading them and what type of files they are, to avoid
+security holes. *Validate all uploaded files* so that you're sure the files are
+what you think they are. For example, if you blindly let somebody upload files,
+without validation, to a directory that's within your Web server's document
+root, then somebody could upload a CGI or PHP script and execute that script by
+visiting its URL on your site. Don't allow that.
+
 .. _`strftime formatting`: http://docs.python.org/lib/module-time.html#l2h-1941

 ``FilePathField``