使用django提供文件 - 这是一个安全漏洞

Question

我正在使用以下代码从django应用程序中的登录安全视图提供上传文件。

您认为此代码中存在安全漏洞吗？我有点担心用户可以在上传后将任意字符串放在url中，并且这会直接映射到本地文件系统。

实际上我不认为这是一个漏洞问题，因为对文件系统的访问仅限于使用UPLOAD_LOCATION设置定义的文件夹中的文件。

UPLOAD_LOCATION = is set to a not publicly available folder on the webserver

url(r'^upload/(?P<file_url>[/,.,\s,_,\-,\w]+)', 'project_name.views.serve_upload_files', name='project_detail'),

@login_required
def serve_upload_files(request, file_url):
    import os.path
    import mimetypes
    mimetypes.init()

    try:
        file_path = settings.UPLOAD_LOCATION + '/' + file_url
        fsock = open(file_path,"r")
        file_name = os.path.basename(file_path)
        file_size = os.path.getsize(file_path)
        print "file size is: " + str(file_size)
        mime_type_guess = mimetypes.guess_type(file_name)
        if mime_type_guess is not None:
            response = HttpResponse(fsock, mimetype=mime_type_guess[0])
        response['Content-Disposition'] = 'attachment; filename=' + file_name
        #response.write(file)             
    except IOError:
        response = HttpResponseNotFound()
    return response

编辑：根据Ignacio Vazquez-Abrams评论更新了来源：

 import os.path
 import mimetypes

  @login_required
  def serve_upload_files(request, file_url):
    mimetypes.init()
    try:
        file_path = os.path.join(settings.UPLOAD_LOCATION, file_url)
        #collapse possibly available up-level references
        file_path = os.path.normpath(file_path)
        #check if file path still begins with settings.UPLOAD_LOCATION, otherwise the user tampered around with up-level references in the url
        #for example this input: http://127.0.0.1:8000/upload/..\test_upload.txt results having the user access to a folder one-level higher than the upload folder
        #AND check if the common_prefix ends with a dir separator, Because although '/foo/barbaz' starts with '/foo/bar'
        common_prefix = os.path.commonprefix([settings.UPLOAD_LOCATION, file_path])
        if common_prefix == settings.UPLOAD_LOCATION and common_prefix.endswith(os.sep):
            fsock = open(file_path,"r")
            file_name = os.path.basename(file_path)
            mime_type_guess = mimetypes.guess_type(file_name)
            if mime_type_guess is not None:
                response = HttpResponse(fsock, mimetype=mime_type_guess[0])
                response['Content-Disposition'] = 'attachment; filename=' + file_name
            else:
                response = HttpResponseNotFound() 
        else:
            print "wrong directory"
            response = HttpResponseNotFound()           
    except IOError:
        response = HttpResponseNotFound()
    return response

Answer 1

一些提示：

1. 使用os.path.join()一起加入路径。
2. 使用os.path.normpath()获取没有“..”引用的实际路径。
3. 对os.path.commonprefix()使用UPLOAD_LOCATION和生成的路径，并验证结果是否以UPLOAD_LOCATION开头。
4. 确保UPLOAD_LOCATION以dir分隔符结尾。

TL; DR：使用os.path。