The documentation on secure file upload (https://docs.djangoproject.com/en/2.0/ref/models/fields/#file-upload-security) doesn't quite answer my concerns.
Consider the following use case : a (potentially malicious) user can use a form to upload a file. I want to implement the following controls (returning an error message and not accepting the file if it doesn't comply) :
- the file must be less than 50MiB
- the file name must be of format ^[a-zA-Z0-9_ ]{1,250}.csv$
- the filemust be ANSI encoded
- only a whitelist of ANSI characters inside the file will be allowed (for example [a-zA-Z1-9;])
- securing metadata to prevent code injection through malicious metadata
What would be the best way to implement this ? Also did I forget important controls for this use case ?
