Home/ Questions/Q 6215949
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T07:08:52+00:00

I have a view which fetches a file and serves it to the user.

  • 0

I have a view which fetches a file and serves it to the user. The view is as follows:

@login_required
def file(request, mid_id, file_name):
    user = request.user

    authorized_mids = user.profile.authorized_mids(True)

    mid = get_object_or_404(Mid, id=mid_id)
    try:
        authorized_mids[mid.id]
    except KeyError:
        raise Http404

    mid_file_path = settings.PATH_TO_REPORTS + ('/%s/' % mid.pk) + file_name

    to_return = open(mid_file_path, 'r')

    mimetype = mimetypes.guess_type(mid_file_path)

    response = HttpResponse(to_return, mimetype=mimetype)
    response['Content-Disposition'] = 'attachment; filename=%s' % file_name;

    return response

My URL looks like:

url(r'^mid/(?P<mid_id>\d+)/file/(?P<file_name>.*?)/$', 'mid.views.file', name='fetch_report')

Are there any security concerns with having the .* in the URL? Will a (malicious) user be able to hack in such a way that they will be able to access files which they should not be able to?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You should probably replace the .*? with [^#?]*? to avoid matching the query or fragment portions of the URL or use urllib.parse to separate out the path portion.

    Also, be aware of .. sequences in URLs.

    r'^mid/(?P<mid_id>\d+)/file/(?P<file_name>.*?)/$'

    matches

    mid/1/file/../../../../etc/

    which is outside the mid/1/file subdirectory tree.

    You could do

    os.path.normpath(path)

    before running the regex which should reject the above because

    os.path.normpath('mid/1/file/../../../../etc/')

    is

    ../etc

    but you will have to remove the / before $ and normpath might behave differently on Windows machines than on *nix. I don’t know of any equivalent to normpath in the urllib module.

    • 0