Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Flask File Handling: Werkzeug Vs Flask-Uploads

I am trying to decide how to implement image uploading functionality on my flask app. I am currently using Flask-Uploads to get the job done and it seems to work pretty well. However, I have no idea if it is very secure, which could be a huge issue since file uploading is involved. Flask-Uploads doesn't really provide detailed information on the implementation of their service, so I haven't gained any insight by looking through the documentation. However, I saw that on Flask's official documentation they included an example of file uploads using Werkzeug, which seems to have some extra methods intended for file security. I can't seem to find anything on the web that sheds light on which one is more secure. Has anyone here with more web security experience ever examined one or both of these alternatives and come to a definite conclusion on this issue?

like image 857
Harrison Avatar asked Oct 28 '14 01:10

Harrison


People also ask

How do you handle uploaded files in Flask?

Handling file upload in Flask is very easy. It needs an HTML form with its enctype attribute set to 'multipart/form-data', posting the file to a URL. The URL handler fetches file from request. files[] object and saves it to the desired location.

What is Secure_filename in Python?

Pass it a filename and it will return a secure version of it. This filename can then safely be stored on a regular file system and passed to os. path.


1 Answers

Flask-Uploads is actually using the patterns found in Flask's documentation for file upload handling. It uses werkzeug.secure_filename, it provides a way to set MAX_CONTENT_LENGTH if, for some reason, you are using Flask 0.5 or older, and it provides a way to validate files based on their extension.

In fact, Flask's documentation actually explicitly suggests using Flask-Uploads:

Because the common pattern for file uploads exists almost unchanged in all applications dealing with uploads, there is a Flask extension called Flask-Uploads that implements a full fledged upload mechanism with white and blacklisting of extensions and more.

like image 179
Sean Vieira Avatar answered Sep 22 '22 20:09

Sean Vieira