durusmail: quixote-users: Automatic removal of tempfiles in quixote.upload
Automatic removal of tempfiles in quixote.upload
2004-08-12
Matt Campbell
Re: Automatic removal of tempfiles in quixote.upload
2004-08-14
Graham Fawcett
Re: Automatic removal of tempfiles in quixote.upload
2004-08-14
Jason E. Sibre
Re: Automatic removal of tempfiles in quixote.upload
2004-08-16
Graham Fawcett
Re: Automatic removal of tempfiles in quixote.upload
2004-08-16
Jason Sibre
2004-08-16
Martin Maney
Automatic removal of tempfiles in quixote.upload
Matt Campbell
2004-08-12
I noticed that when a user uploads a file to a Quixote application, the
resulting temporary file isn't automatically removed after the request
is processed.  This is OK is the function that processed the request
expected an upload, because it can move or remove the file itself.  But
once HTTP upload is enabled by defining the UPLOAD_DIR config variable,
a malicious user could include an upload in *any* request.  I figure
someone might do this in an attempt to fill the server's disk, though it
would take a lot of unexpected uploads to succeed at that.  In any case,
it's a resource leak.

To prevent this problem, I think the Upload class should have a __del__
method which deletes the file referenced by an instance's tmp_filename
attribute if the file still exists.  That way, the application developer
doesn't have to be concerned about cleaning up after unexpected
uploads.  Is there anything wrong with this solution?

--
Matt Campbell
Lead Programmer
Serotek Corporation
www.freedombox.info
reply