I have created an API with express to submit a user form with an image with multer. Now I want to make the URL of the image temporary for a certain amount of time so that no user can see the image after that particular time and one URL is fixed for one user only but if he wants to see it again he has to request a new URL.
https://localhost:3000/api/image?=sometempURL1
for another user, the same image should have another unique URL like
https://localhost:3000/api/image?=sometempURL2orSomething
just don't want to reveal the actual file path/name
One way to do this is to use routes with parameters: /path/:id
The id would be the path to the file hashed using a hashing method.
You would have 2 locations for the files, one temporary and one permanently. When you get a file, you store it in both locations. You can save the location to the permanent one. For you temporary route, you can return to use the hashed path of the file in temporary location.
Now how is this temporary location? You can use Cronjob to schedule it's deletion.
So you provide to the user /path/to/file.jpg under this format: b017bcade5394d0076ad808e94482576 and the route would look like: /file/b017bcade5394d0076ad808e94482576 and you can get the file using this hashed value, but at some point (depending on the time you set on cronjob) the file will be deleted from the temporary location, so the link will become invalid
Related
I have Django model with Image field, but sometimes I don't need to actually upload file and store path to it, but I need to store only path. Especially url. I mean, I have web client, that receives both foreign urls like sun1-17.userapi.com and url of my own server, so sometimes I don't need to download but need to store url. Is it possible, to store url in ImageField, or I need to make CharField and save files via python? If its impossible, how do I save file in python3, having one, sent me via multipart?
The URL field in the ImageField is ReadOnly, so you cannot write it. You should probably use in addition a URLField (better than a CharField) to save the URLs.
You can allow null values on both and use only the appropriate one according to your scenario.
class FilePathField(path='', match=None, recursive=False, > allow_files=True, allow_folders=False, max_length=100, **options)
A CharField whose choices are limited to the filenames in a certain directory on the filesystem.
Has some special arguments, of which the first is required:
FilePathField.path
Required. The absolute filesystem path to a directory from which this FilePathField should get its choices. Example: "/home/images".
For more info visit the doc https://docs.djangoproject.com/en/3.0/ref/models/fields/#django.db.models.FilePathField
Uploaded filename in Catalog-->Downloads section are like this:
Chrysanthemum.jpg.bafd8619f8e86bba3b8c90063b2910d2
in this example Chrysanthemum.jpg is filename and What's usage this: .bafd8619f8e86bba3b8c90063b2910d2 ?
Without knowing anything about Opencart I would say that it's an easy way to make sure that if you upload two images with the same name but different content they won't replace each other. If it's indeed a hash of the content thats appended then that would also ensure that if you upload the same image twice it will still only be stored once.
I would like to upload one file at a time, get the path of each file and add it to a list. It would later be used to save them all in a permanent directory like E:/myfile/....
I tried the following PrimeFaces component:
<p:fileUpload value="#{fileUploadView.file}" mode="simple" />
However, I am unable to get the file path. How can I get it?
The enduser won't send you the full client side file path. Even then, if it did, how would you ever get the file contents by only the path? If it were possible, it would have been a huge security breach as basically anyone on the world would be able to unaskingly scrape files from anyone else's disk through the entire Internet.
Usually, only the filename is being sent and you should even not use exactly that filename to save the obtained content on disk in order to avoid files being overwritten in case (another) enduser coincidentally uploads a file with exactly same name. You should use it at most as metadata (e.g. to prefill the Save As filename in case enduser want to download it back at a later moment).
You should actually be interested in the actual file content sent to you in flavor of InputStream or byte[], not the original client side path nor filename. The file content is sent only once and you should immediately read and write it to a more permanent location in the server side once the bean action method hits. Then, keep track of the (autogenerated/predefined!) filenames/paths of those saved files in some List<String> or List<File> in the view or perhaps the session scope.
See also:
How to save uploaded file in JSF
ok so what I am trying to do is manually handle my assets when using express. What I mean is that I do not what to have to have every stylesheet/javascript file on every page. So I wanted to be able to specify in each route whether I wanted to use another javascript file or not. Ex:
app.get('/testing',function(req,res,next){
assets.addJS('my-javascript-file');
res.render('testing');
});
So now when the template goes to render I want all of those javascript files that have been added in a local variable. I do not want to pass them on each call to render because I will want to add javascript in other places and may not necessarily need to send anything to the template which would cause me not to pass it by accident. Another thing that I want to implement is caching. I know by default it sends back the 304 not modified once it has the asset but I dont even want it making that request so I was hoping to do a query string on the files when they are output with maybe the last time they were modified and that way if I change them it will automatically tell the users browser to get the newest files but other than that it will cache them saving me bandwidth / requests (amazon s3 charges for these). If anyone can point me in the right direction or if there is already a plugin out there for this please let me know. Thanks.
You could build an asset manager around this:
app.get(function(req, res) {
res.locals.files = [ 'somefile.js', 'somefile2.js' ];
res.render('someview');
});
The view would just create multiple script files.
head
each file in files
script(src=base_url + '/' + file)
If you want to merge the files into one request you probably need to extend this even more. You could create a route that can take an array of files and merges them on each request. You can serve files with res.sendFile. This will take care of all the headers and caching if I remember correctly.
I am trying to assess our security risk if we allow to have a form in our public website that lets the user upload any type of file and get it stored in the database.
I am worried about the following:
Robots uploading information
A huge increment of the size of the database
The form is an resume upload so HR people will be downloading those files in a jpeg or doc or pdf format but actually getting a virus.
You can use captchas for dealing with robots
Set a reasonable file size limit for each upload
You can do multiple checking for your file upload control.
1) Checking the extension of file (.wmv, .exe, .doc). This can be implemented by Regex expression.
2) Actually check the file header or definition type (ex: gif, word, image, etc, xls). Sometimes file extension is not sufficient.
3) Limit the file size. (Ex: 20mb)
4) Never accept the filename provided by the user. Always rename the file to some GUID according to your specifications. This way hacker wont be able to predict the actual name of the file which is stored on the server.
5) Store all the files out of web virtual directory. Preferably store in separate File Server.
6) Also implement the Captcha for File upload.
In general, if you really mean to allow any kind of file to be uploaded, I'd recommend:
A minimal type check using mime magic numbers that the extension of the file corresponds to the given one (though this doesn't solve much if you are not going to limit the kinds of files that can be uploaded).
Better yet, have an antivirus (free clamav for example) check the file after uploading.
On storage, I always prefer to use the filesystem for what it was created: storing files. I would not recommend storing files in the database (suposing a relational database). You can store the metadata of the file on the database and a pointer to the file on the file system.
Generate a unique id for the file and you can use a 2-level directory structure to store the data: E.g: Id=123456 => /path/to/store/12/34/123456.data
Said that, this can vary depending on what you want to store and how do you want to manage it. It's not the same to service a document repository, a image gallery or a simple "shared directory"