1616
1717Create a model and add a field of type ValidatedFileField. You can add a maximum size in bytes
1818and a list of valid mime types that will be allowed. The list of all mime types is available
19- here: http://www.iana.org/assignments/media-types/index.html. If a user tries to upload a file
20- with too much size or without a valid type, a form validation error will occur::
19+ here: http://www.iana.org/assignments/media-types/index.html::
2120
2221 class TestModel(models.Model):
2322 the_file = ValidatedFileField(
@@ -27,3 +26,23 @@ with too much size or without a valid type, a form validation error will occur::
2726 max_upload_size = 10240,
2827 content_types = ['image/png'])
2928
29+ The model can be used in forms or model forms like a normal FileField. If a user tries to upload
30+ a file with too much size or without a valid type, a form validation error will occur.
31+
32+
33+ Note on DOS attacks
34+ -------------------
35+
36+ Important note: the check of the file size is made by Django once the whole file has been uploaded
37+ to the server and stored in a temp directory (or in memory if the file is small). Thus, this is
38+ useful to guarantee the quota of the users, for example, but will not stop an attacking user that
39+ wants to block the server by sending huge files (e. g. of several Gb).
40+
41+ To avoid this, you need to configure your front end to limit the size of uploaded files. How to do
42+ it depends on the software you are using. For example, if you use apache, you should use
43+ **LimitRequestBody ** directive (http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestbody).
44+
45+ This is a complementary measure, because you'll usually want normal users that exceed the size by a
46+ reasonable amount to get a friendly form validation message, while attacking users will see how their
47+ connection is abruptly cut before the file finishes uploading.
48+
0 commit comments