1. Matthew Frazier
  2. flask-uploads
  3. Issues
Issue #2 open

Easy removal of uploads module

Dan Jacob
created an issue

In many cases it's undesirable to have an automatically registered module that accesses your file uploads directly (for example, the uploads should only be available to selected users). While this could be removed in e.g. nginx configuration, it's easy to forget to do so creating a potential security risk.

Therefore the _uploads module that is added automatically should be easily removable - this could be an argument to configure_uploads or a config setting, e.g. REGISTER_UPLOADS_MODULE.

Comments (3)

  1. Matthew Frazier repo owner
    • changed status to open

    I will add code that will prevent the uploads module from being registered if no sets actually need it.

    I am not inclined to allow removing the uploads explicitly, though, because if the module is needed and not provided, then it breaks the UploadSet.url method. Also, application-level upload security that relied on the application serving the uploads itself would break if an external URL was provided to serve the uploads from, as is recommended during production.

    I may add an option that lets you mark a set as "nonserved," which would prevent URLs for the set from being configured or generated, and a send_upload function that wraps like send_static_file. (In that case, it would be recommended to use a server with X-Sendfile support.) The application could then restrict access to the uploads, but configuring an external server would be application-specific. Would that work for your usecase?

  2. Log in to comment