Forums

How to configure the server to only allow whitelist of file extensions for user uploaded files?

Hello,

I've created a Django website in which I allow users to upload Image files using Django's ImageField field. The Django docs section about this mentions that there is a vulnerability involved in letting users upload files:

Specifically, an HTML file can be uploaded as an image if that file contains a valid PNG header followed by malicious HTML.

And it says that at the framework level there is no way to prevent this potential malicious behavior, and that one of the ways with which this can be prevented is by only allowing certain file extensions in the web-server's config:

... applications may choose to define a whitelist of allowable file extensions for user uploaded files and configure the web server to only serve such files.

I have searched the web and looked at the forums about this but haven't found any information about how I would go about doing what the Django docs suggest, with PythonAnywhere.

Any ideas?

deleted-user-2432982 | 3 posts | May 22, 2017, 12:15 a.m. | permalink

There's no way to do that on PythonAnywhere at the moment. You could serve your media files through Django and use Python to decide which ones you return. Or you could use a whitelist of files extensions to only allow the uploading of files that have those extensions.

Staff glenn | 9718 posts | PythonAnywhere staff | May 22, 2017, 1:03 p.m. | permalink