-
-
Notifications
You must be signed in to change notification settings - Fork 681
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Filenames with a '\' are not returned as entered #465
Comments
File.name should contain name only, its expected behavior. |
@mclark-newvistas, if you agree and there is no other (missed) case, then I'm going to close this. |
@xarguments that was and is the file name. There is no path element in the file named |
Definitely don't looks like correct way to get filename. We should change that, asbolutely, Thanks for the report. |
@mclark-newvistas Agree with this, file name security checks are not that good, and can be improved. Yet allowing
@tunnckoCore, checked its code, the path.basename will check for slash and backslash, depended on server OS:
Generally, no matter which way we go - we should choose to either allow or disallow
What would you say? |
O, seems like I didn't get that issue correctly back then. Agree. Instead of this option it can be |
@xarguments I'm fine w/OS dependent behavior personally, though I recognize you might feel it violates the Principle of Least Surprise for enough of your users to matter. Given your reasonable preference for consistency, I'd recommend taking the same approach I've seen web browsers take when downloading an invalid filename. Replace the offending character with something else - typically a Adding a flag is typically not the best approach - increases configuration complexity, documentation surface area, etc. Adding a flag which can introduce a security hole even more so. |
Another option along the lines of "validate your inputs, sanitize your outputs" would be to have some kind of error if the filename fails to match internal validation rules, and ask the library user to report an error to their user for them to chose another filename. The above suggestion implements "sanitize your outputs"; this one would be to "validate your inputs". The current approach amounts more to "sanitize your inputs", which has a nasty habit of munging data, as observed. |
@mclark-newvistas, thanks a lot for useful suggestions. About replacing slashes with with "_": it seems to be another efficient way to go without breaking most of old apps. That way very poorly written apps may get broken only. About "validate your inputs": Agree, it would enforce more security to the apps. Yet the lib itself is "low-level package" that is used by many many other libs. It shouldn't do or enforce much validations/sanitizations/security since it's primary job is file uploads, not file security. Personally, I think we need to create (or use) a file-name validation/sanitization library, and use it in conjuction with Formidable (not "from within Formidable"). Afterwards, add an example to docs so that users were aware of it. We will still come back to this when implementing newer version, and - based on backward compatibility of the change - we will add it to v1.3 or v2.0. Keeping this ticket open for more suggestions/discussions. |
I think that top security should be the default. The file name converter and validator should be configurable as well. |
Great! <3 For now we can use something like https://npm.im/slugify |
or https://github.com/sindresorhus/filenamify |
Oh yea, that was it, i was trying to remember how it was called. Plus https://github.com/sindresorhus/unused-filename. |
related #664 |
What I tried: uploading a file
foo\n.csv.xls
to test my errors logsWhat happened:
.name
was set ton.csv.xls
, so my error logs show incorrect dataWhat I expected to happen:
.name
set tofoo\n.csv.xls
Line causing the problem: https://github.com/felixge/node-formidable/blob/2f9db9fd87a833c1bd095041e78317557172b7f7/lib/incoming_form.js#L438
The text was updated successfully, but these errors were encountered: