- When should an uploaded file be deleted?
- How long should a generated report be available for download?
Files that cannot be read by a CSV reader should be deleted immediately to avoid that potentially malicious resources are hosted on this public server. A simple check for file extension is not enough. Arbitrary files can be uploaded by just adding the extension *.csv.
Following operations has been done:
- Uploaded file is validated via Python Magic library. The header of the file is checked and MIME type is determined. If it is not a real CSV file (MIME is different than 'application/csv'), the file and its folder are deleted immediately. The user is informed about the situation.
- Generated reports and uploaded user files are deleted from the server after 24 hours. A background task is created and scheduled for this operation.