Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Validating upload file type in Django

Tags:

python

django

I have a Post model with a filefield which is used to upload files. How can I validate the file type (pdf for now, or any other types if I change to later). Preferably i'd like to validate the content, but if not I guess suffix would do too. I tried to look up online but most of the solutions I found are from way back and as the Django document get updated they don't work any more. Please if anyone can help. Thanks.

class Post(models.Model):
    author = models.ForeignKey('auth.User',default='')
    title = models.CharField(max_length=200)
    text = models.TextField()
    PDF = models.FileField(null=True, blank=True)
    created_date = models.DateTimeField(
            default=timezone.now)
    published_date = models.DateTimeField(
            blank=True, null=True)

    def publish(self):
        self.published_date = timezone.now()
        self.save()

    def __str__(self):
        return self.title
like image 362
hakuro Avatar asked Jul 18 '17 16:07

hakuro


2 Answers

With Django 1.11 you can use FileExtensionValidator. With earlier versions, or for extra validation, you can build your own validator based on it. And you should probably create a validator either way because of this warning:

Don’t rely on validation of the file extension to determine a file’s type. Files can be renamed to have any extension no matter what data they contain.

Here's a sample code with the existing validator:

from django.core.validators import FileExtensionValidator
class Post(models.Model):
    PDF = models.FileField(null=True, blank=True, validators=[FileExtensionValidator(['pdf'])])

Source code is also available so you can easily create your own:

https://docs.djangoproject.com/en/1.11/_modules/django/core/validators/#FileExtensionValidator

like image 93
kichik Avatar answered Oct 26 '22 11:10

kichik


Think of validation in terms of:

  • Name/extension
  • Metadata (content type, size)
  • Actual content (is it really a PNG as the content-type says, or is it a malicious PDF?)

The first two are mostly cosmetic - pretty easy to spoof/fake that information. By adding content validation (via file magic - https://pypi.python.org/pypi/filemagic) you add a little bit of additional protection

Here is a good, related answer: Django: Validate file type of uploaded file It may be old, but the core idea should be easily adapted.

like image 2
bimsapi Avatar answered Oct 26 '22 12:10

bimsapi