Uploading files from IE

and-google at doxdesk.com and-google at doxdesk.com
Thu Mar 23 20:08:37 CET 2006


AB wrote:

> I tried the following with the same result:
> myName = ulImage.filename
> newFile = file (os.path.join(upload_dir, os.path.basename(myName)), 'wb')

os.path is different on your system to the uploader's system. You are
using Unix pathnames, with a '/' separator - they are using Windows
ones, with '\', so os.path.basename won't recognise them as separators.
Old-school-Macintosh and RISC OS machines have different path
separators again.

The Content-Disposition filename parameter can be set by the user-agent
to *anything at all*. Using it without some serious sanitising
beforehand is a recipe for security holes. In your original code an
attacker could have arbitrarily written to any file the web user had
access to. The code with os.path.basename is better but could still be
confused by things like an empty string, '.', '..' or invalid
characters.

It's best not to use any user-submitted data as the basis for
filenames. If you absolutely *must* use Content-Disposition as a local
filename you must send it through some strict checking first, whether
the browser sends full paths to you or not.

-- 
And Clover
mailto:and at doxdesk.com
http://www.doxdesk.com/




More information about the Python-list mailing list