adr...@bcc190cf-cafb-0310-a4f2-bffc1f526a37  committed ba019a1

Added paragraph to docs/model-api.txt explicitly pointing out file uploads should be validated, for security reasons

  • Participants
  • Parent commits fbce937

Comments (0)

Files changed (1)

File docs/model-api.txt

 upload a file on Jan. 15, 2007, it will be saved in the directory
+Note that whenever you deal with uploaded files, you should pay close attention
+to where you're uploading them and what type of files they are, to avoid
+security holes. *Validate all uploaded files* so that you're sure the files are
+what you think they are. For example, if you blindly let somebody upload files,
+without validation, to a directory that's within your Web server's document
+root, then somebody could upload a CGI or PHP script and execute that script by
+visiting its URL on your site. Don't allow that.
 .. _`strftime formatting`: