Improved warning about file uploads in docs, and added link from security overview page

git-svn-id: http://code.djangoproject.com/svn/django/trunk@16521 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2025-12-15 21:45:20 +00:00 · 2011-07-06 23:44:54 +00:00 · 2011-07-06 23:44:54 +00:00 · f5c9c2246e
commit f5c9c2246e
parent 569aa34ea5
2 changed files with 9 additions and 1 deletions
--- a/docs/ref/models/fields.txt
+++ b/docs/ref/models/fields.txt
@ -577,6 +577,8 @@ The uploaded file's relative URL can be obtained using the
 this calls the :meth:`~django.core.files.storage.Storage.url` method of the
 underlying :class:`~django.core.files.storage.Storage` class.

+.. _file-upload-security:
+
 Note that whenever you deal with uploaded files, you should pay close attention
 to where you're uploading them and what type of files they are, to avoid
 security holes. *Validate all uploaded files* so that you're sure the files are
@ -585,6 +587,10 @@ without validation, to a directory that's within your Web server's document
 root, then somebody could upload a CGI or PHP script and execute that script by
 visiting its URL on your site. Don't allow that.

+Also note that even an uploaded HTML file, since it can be executed by the
+browser (though not by the server), can pose security threats that are
+equivalent to XSS or CSRF attacks.
+
 By default, :class:`FileField` instances are
 created as ``varchar(100)`` columns in your database. As with other fields, you
 can change the maximum length using the :attr:`~CharField.max_length` argument.