Contribute Media
A thank you to everyone who has made this possible: Read More

The dangerous, exquisite art of safely handing user-uploaded files.

Translations: en

Description

Tom Eastman https://2016.pycon-au.org/schedule/148/view_talk Every web application has an attack surface -- the exposed points of interaction where a malicious or mischievous user can commit malice, or mischief (respectively). Possibly nowhere, however, is more vulnerable than places a user is allowed to upload arbitrary files.

The scope for abuse is eye-widening: The contents of the file, the type of the file, the size and encoding of the file, even the name of the file can be a potent vector for attacking your system.

The scariest part? Even the best and most secure web-frameworks (yes, I'm talking about Django) can't protect you from all of it.

In this talk, I'll show you every scary thing I know about that can be done with a file upload, and how to protect yourself from -- hopefully -- most of them.

Details

Improve this page