我正在构建一个Web应用程序(python和Django),允许用户上传pdf文件供其他用户下载。如何阻止用户上传嵌入在pdf中的病毒?
更新: 我在使用clamcv的django代码段上找到了这段代码。这可以做到这一点吗?
def clean_file(self):
file = self.cleaned_data.get('file', '')
#check a file in form for viruses
if file:
from tempfile import mkstemp
import pyclamav
import os
tmpfile = mkstemp()[1]
f = open(tmpfile, 'wb')
f.write(file.read())
f.close()
isvirus, name = pyclamav.scanfile(tmpfile)
os.unlink(tmpfile)
if isvirus:
raise forms.ValidationError( \
"WARNING! Virus \"%s\" was detected in this file. \
Check your system." % name)
return file
答案 0 :(得分:1)
通常,您可以使用任何病毒扫描软件来完成此任务:只需
使用python子进程来运行命令行字符串,如下所示:
try:
command_string = 'my_virusscanner -parameters ' + uploaded_file
result = subprocess.check_output(command_string,stderr=subprocess.STDOUT,shell=True)
#if needed, do something with "result"
except subprocess.CalledProcessError as e:
#if your scanner gives an error code when detecting a virus, you'll end up here
pass
except:
#something else went wrong
#check sys.exc_info() for info
pass
如果不检查源代码,我认为pyclamav.scanfile或多或少都相同 - 所以如果你信任clamav,你应该做得很好。如果您不信任ist,请使用上述方法使用您选择的病毒扫描程序。
答案 1 :(得分:0)
您可以使用django-safe-filefield包来验证上传的文件扩展名是否与MIME类型匹配。例如:
settings.py
CLAMAV_SOCKET = 'unix://tmp/clamav.sock' # or tcp://127.0.0.1:3310
CLAMAV_TIMEOUT = 30 # 30 seconds timeout, None by default which means infinite
forms.py
from safe_filefield.forms import SafeFileField
class MyForm(forms.Form):
attachment = SafeFileField(
scan_viruses=True,
)