|
David Fraser
davidf at sjsoft.com
Thu Jun 3 18:31:32 EDT 2004
Daniel J. Popowich wrote:
>This is not really a mod_python question, but I figure a number of you
>have had to deal with this.
>
>On a windows client, let's say we have a file named:
>
> c:\foo\bar\baz
>
>which is what a user specifies in an HTML INPUT file widget.
>
>If the client is a mozilla browser the file name is returned as the
>basename of whatever was specified, so 'baz'. If the client is IE the
>file name is returned as the full path name specified, so
>r'c:\foo\bar\baz'. Leave it to M$ to complicate matters.
>
>This means I need to code my handler to expect either a basename or a
>full pathname. All I want is the basename. Complicating the matter
>is my handler is on a linux box, so my server-side python is compiled
>to handle unix paths, not windows paths (so I can't use functions like
>os.path.splitdrive).
>
>My solution, which I fear may be braindead, is to do this to all
>incoming filenames:
>
> filename = os.path.basename(filename.replace('\\', '/'))
>
>This appears to work, but I'm wondering if anyone else has a better
>solution.
>
>Thanks,
>
>Daniel
>
>
Hi Daniel
We've recently had exactly the same problem and solved it in a similar way:
# IE submits the whole path. lets just get the filename in this case
if "\\" in self.filename:
self.filename = self.filename[self.filename.rfind("\\")+1:]
I reckon it should be classified as a [very mild] security vulnerability
in IE that they do this - do I really want websites to know the file
layout of my local system?
Anyway sorry but I don't think you're going to find a better solution...
although I'd be interested if there was one...
David
|