如何限制文件类型并使我的代码更安全？

发布于 2025-02-09 06:31:46 字数 1034 浏览 2 评论 0 原文

我是全新的烧瓶，并试图制作一个安全的文件上传Web应用程序。我想限制可以上传并专门阻止脚本语言的文件类型。

我的app.py代码：

from flask import Flask, render_template, request, current_app, abort
import os

app = Flask(__name__)

app.config["UPLOAD_PATH"] = "Desktop"
app.config['UPLOAD_EXTENSIONS'] = ['.jpg', '.png', '.gif']
app.config['MAX_CONTENT_LENGTH'] = 1024 * 1024

@app.route("/",methods=["GET","POST"])
def upload_file():
    if request.method == "POST":
        f = request.files['file_name']
        f.save(os.path.join(app.config['UPLOAD_PATH'], f.filename))
        return render_template("upload-file.html", msg="File has been successfully uploaded")
    return render_template("upload-file.html", msg="Please Choose a File")


if __name__ == "__main__":
    app.run(debug=True)

以及我的upload-file.html代码：

{{msg}}
<br>
<form action="/" method="POST" enctype="multipart/form-data">
    <input  type="file" name="file_name" multiple>
    <input type="submit" value="Submit">
</form>

原文

I'm brand new to Flask and attempting to make a secure file upload web app. I want to limit the file types that can be uploaded and specifically block scripting languages.

My app.py code:

from flask import Flask, render_template, request, current_app, abort
import os

app = Flask(__name__)

app.config["UPLOAD_PATH"] = "Desktop"
app.config['UPLOAD_EXTENSIONS'] = ['.jpg', '.png', '.gif']
app.config['MAX_CONTENT_LENGTH'] = 1024 * 1024

@app.route("/",methods=["GET","POST"])
def upload_file():
    if request.method == "POST":
        f = request.files['file_name']
        f.save(os.path.join(app.config['UPLOAD_PATH'], f.filename))
        return render_template("upload-file.html", msg="File has been successfully uploaded")
    return render_template("upload-file.html", msg="Please Choose a File")


if __name__ == "__main__":
    app.run(debug=True)

And my upload-file.html code:

{{msg}}
<br>
<form action="/" method="POST" enctype="multipart/form-data">
    <input  type="file" name="file_name" multiple>
    <input type="submit" value="Submit">
</form>

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

抚你发端 2025-02-16 06:31:46

您可以从此文档获得帮助。

回复收藏 0 原文

棒棒糖 2025-02-16 06:31:46

def allowed_file(filename):
    return '.' in filename and filename.rsplit('.', 1)[1].lower() in app.config['UPLOAD_EXTENSIONS']

将文件名传递给此功能，它将返回true app.config ['upload_extensions']中的文件扩展名。

如果语句，您可以将代码放在中。

if allowed_file(f.filename):
    f.save(os.path.join(app.config['UPLOAD_PATH'], f.filename))
    return render_template("upload-file.html", msg="File has been successfully uploaded")
else:
    return render_template("upload-file.html", msg="File extension not allowed")

def allowed_file(filename):
    return '.' in filename and filename.rsplit('.', 1)[1].lower() in app.config['UPLOAD_EXTENSIONS']

pass the file name to this function it will return True the file extension in your app.config['UPLOAD_EXTENSIONS'].

And you can put your code in an if statement.

if allowed_file(f.filename):
    f.save(os.path.join(app.config['UPLOAD_PATH'], f.filename))
    return render_template("upload-file.html", msg="File has been successfully uploaded")
else:
    return render_template("upload-file.html", msg="File extension not allowed")

回复收藏 0 原文

~没有更多了~