[mod_python] uploaded file names

David Fraser davidf at sjsoft.com
Thu Jun 3 18:31:32 EDT 2004


Daniel J. Popowich wrote:

>This is not really a mod_python question, but I figure a number of you
>have had to deal with this.
>
>On a windows client, let's say we have a file named:
>
>  c:\foo\bar\baz
>
>which is what a user specifies in an HTML INPUT file widget.
>
>If the client is a mozilla browser the file name is returned as the
>basename of whatever was specified, so 'baz'.  If the client is IE the
>file name is returned as the full path name specified, so
>r'c:\foo\bar\baz'.  Leave it to M$ to complicate matters.
>
>This means I need to code my handler to expect either a basename or a
>full pathname.  All I want is the basename.  Complicating the matter
>is my handler is on a linux box, so my server-side python is compiled
>to handle unix paths, not windows paths (so I can't use functions like
>os.path.splitdrive).
>
>My solution, which I fear may be braindead, is to do this to all
>incoming filenames:
>
>  filename = os.path.basename(filename.replace('\\', '/'))
>
>This appears to work, but I'm wondering if anyone else has a better
>solution.
>
>Thanks,
>
>Daniel
>  
>
Hi Daniel

We've recently had exactly the same problem and solved it in a similar way:
      # IE submits the whole path. lets just get the filename in this case
      if "\\" in self.filename:
        self.filename = self.filename[self.filename.rfind("\\")+1:]
I reckon it should be classified as a [very mild] security vulnerability 
in IE that they do this - do I really want websites to know the file 
layout of my local system?
Anyway sorry but I don't think you're going to find a better solution... 
although I'd be interested if there was one...

David



More information about the Mod_python mailing list