I have one Django application running GAE.The application uses content folder which contains images and html snippets.The content folder was uploaded in google cloud storage.I would like to render a image in static file using img tag.For using img tag I want to know the url of that image.I have seen that when we set the permission to share publicly it will give us a url.But I don't want to share that files publicly.If I share an another application can use my files.I don't want that.I there any way to do that with out log in a user
Sharing it publicly is the best way to go.
You could also base64 encode the image data when you render out the template, which means the url of the image will not be shown to the public on your page. Then you can obfuscate the image names in the GCS. This way it's still public but hard to reach.
Related
I am creating a site that users can upload images. I am using django-storages to forward these images to S3 bucket, but I recently read the security docs on Django's site: https://docs.djangoproject.com/en/3.0/topics/security/#user-uploaded-content
Django’s media upload handling poses some vulnerabilities when that media is served in ways that do not follow security best practices. Specifically, an HTML file can be uploaded as an image if that file contains a valid PNG header followed by malicious HTML. This file will pass verification of the library that Django uses for ImageField image processing (Pillow). When this file is subsequently displayed to a user, it may be displayed as HTML depending on the type and configuration of your web server.
It tells me about this vulnerability but it does not provide me an efective way of protecting against these vulnerabilities. Which is the top 3rd most vulnerable attack in websites.
Consider serving static files from a cloud service or CDN to avoid some of these issues.
I am using S3 to serve my media files, it does say to avoid some of the vulnarabilities described in the section, but is does not say which.
My question: Is uploading and serving images to and from AWS S3 vulnerable to these attacks, and if it does not, what is an effective way of sanitizing the content of the image ?
Edit for bounty: I host the images on S3, what are type of attack or vulnerabilities can happen ? And how to prevent such attacks ?
Why not just verify that the file is a valid image?:
from PIL import Image
image = Image.open(file)
image.verify()
As another poster has suggested, you can indeed attempt a transformation and check if an exception is thrown, but verify() will probably be quicker.
Or maybe you can try detecting the type?:
import imghdr
path = 'Image.jpg'
imghdr.what(path)
Or
from PIL import Image
image = Image.open('myimage.png')
image.format
Using any of the above methods, you can determine if the file is actually an image or not. If it is not an image, then consider the file as spurious, and do not output it on any of your web pages. By not outputting the file, there is no risk of XSS from this vector, because even if the file is HTML, by not outputting it on your page, it cannot compromise your page.
The best possible solution comes from the Pillow library itself.
Even if someone can Manipulate the headers of an HTML File to make them look as PNG files, when you try doing some operation on them (say resizing), it will simply not work and throw an error, so you can capture it inside a try except block and warn/flag the user for malicious intent.
If you don't want to reduce the quality of any image given to you, then you can resize to the original image size, it will work without compromising the quality of image.
For my Python app,I had completed the basic settings to interact with google drive api and found it working by a test upload of a CSV file. Now I need to upload an image from a url to a newly created folder named 'myappname' in Google Drive.
Thanks in advance
For now, there is no way you can directly upload file from url. There are two workaround I can think of
Download file and upload it back using Files.insert()
Use Save to Drive button
Using save to Drive button requires user interaction to click the button which might not be the one you want. In that case, downloading and uploading is the only way I can think of.
I am using Django 1.4 on Google App Engine.
I have a model called Media, where the admins can upload files to use in their website. It has a field:
file = models.FileField(upload_to='/uploads/%Y/%m/%d')
It works perfectly with images (although the URL provided is weird), but that is not a problem.
The problem is when they try to upload a PDF (or anything else). Everything seems to work, but when you go to edit it, it doesn't contain any file - there is no "Currently" or anything else.
If I go to Google App Engine dashboard, the file is in Blob Viewer, and the record is also saved and available through the Datastore Viewer, with the correct blob key.
Why Django is not recognizing it? And how I can fix it?
djangoappengine contains a storage provider for the blobstore.
To me it doesn't seem like a full-featured solution, just something to get file uploads running.
I had to add this to get some functionality I needed (urls to the files).
It might make the admin work too:
https://github.com/dragonx/djangoappengine/commit/6a472a80c25bc077816c9104b45d5a64f3063273
I am developing two web sites using the Django framework.
The thing is - one site is sharing part of the content from the other one.
They both use different amazon WS buckets to store images, etc.
So for the site which shares some content with another one I need to specify a different MEDIA_URL, but it seems impossible cause 'upload_to' and 'storage' parameters of the FileField only influence the file being uploaded.
Is there any way to use another storage when displaying image after it was uploaded?
I want to upload images to a gallery app. I want the user to be able to either load images normaly, or upload on zip file containing all the images for that gallery. Then it must be uncompressed and all images must be added to that model. This is for the admin site.
Any ideas?
You could either use the existing django-app django-photologue which enables you to do that or have a look at how it is implemented there: https://code.google.com/p/django-photologue/source/browse/trunk/photologue/models.py.
If you see that photlogue is lacking some of the functionality you need, you could also subclass and extend photologue's models in your app!