1

So, i'm trying to create an google app engine (python) app that allows people to share files. I have file uploads working well, but my concern is about checking the file extension and making sure, primarily, that the files are read only, and secondly, that they are of the filetype that is specified. These will not be image files, as a know they are a lot of image resources already. Specifically, .stl mesh files, but i'd like to be able to do this more generally.

I know there are modules that can do this, python-magic seems to be able to do this for example, but i can't seem to find any that i'm able to import without LoadModuleRestricted. I'm considering writing my own parser, but that would be a lot of work for such a common (i'm assuming) issue.

Anyway, i'm totally stumped so this is my first stackoverflow question, so hope i'm doing well etiquette wise. Let me know, and thanks!

Matt
  • 11
  • 2
  • if it's images, some links here perhaps: http://stackoverflow.com/questions/889333/how-to-check-if-a-file-is-a-valid-image-file – Paul Collingwood Feb 21 '13 at 21:50
  • sorry, not images, i'll update the question – Matt Feb 21 '13 at 21:52
  • possible duplicate of [How to find the mime type of a file in python?](http://stackoverflow.com/questions/43580/how-to-find-the-mime-type-of-a-file-in-python) – Sean McSomething Feb 21 '13 at 22:15
  • I was under the impression that the mimetypes module just looks at the extension. I'm concerned about potential malicious executables that just have an innocent looking extension. I may be wrong though. That question is where i learned about the python-magic module, however it is restricted on appengine. – Matt Feb 21 '13 at 22:46

1 Answers1

1

It sounds like you want to read the first few bytes of the uploaded file to verify that its signature matches the purported mime type. Assuming that you're uploading to blobstore (i.e., via a url obtained from blobstore.get_upload_url(), then once you're redirected to the upload handler whose path you gave to get_upload_url, you can open blob using a BlobReader, then read and verify the signature.

The Blobstore sample app lays out the framework. You'd glue in code in UploadHandler once you have blob_info (using blob_info.key() to open the blob).

Dave W. Smith
  • 24,318
  • 4
  • 40
  • 46