帮助改进我的文件上传方法(Pyramid框架)
目前,我使用以下方法在 Pyramid 中上传文件(通过 HTML 表单)。
if request.params.get('form.submitted'):
upload_directory = os.getcwd() + '/myapp/static/uploads/'
my_file = request.POST.get('thumbnail')
saved_file = str(upload_directory) + str(my_file.filename)
perm_file = open(saved_file, 'w')
shutil.copyfileobj(my_file.file, perm_file)
my_file.file.close()
perm_file.close()
我只是想知道,这是保存文件上传的好方法吗?我的方法是否存在安全问题?我还能如何改进我的方法。谢谢。
Currently, I am using the following method for uploading files (via HTML form) in Pyramid.
if request.params.get('form.submitted'):
upload_directory = os.getcwd() + '/myapp/static/uploads/'
my_file = request.POST.get('thumbnail')
saved_file = str(upload_directory) + str(my_file.filename)
perm_file = open(saved_file, 'w')
shutil.copyfileobj(my_file.file, perm_file)
my_file.file.close()
perm_file.close()
I am just wondering, is this a good way of saving file uploads, are there any security concerns with my method? How else can I improve my method. Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
你会想要使用像 werkzug 的
safe_join而不是仅仅将上传目录添加到给定的文件名中。攻击者可以创建文件名为../../../some/important/path的 POST,并导致此脚本覆盖upload_directory之外的某些文件。You'll want to use something like werkzug's
safe_joinrather than just adding the upload directory to the given file name. An attacker could create a POST with a filename of../../../some/important/pathand cause this script to overwrite some file outside of yourupload_directory.