Anewt

SafeFilenameValidator

Bug #3279 reported by wouter bolsterlee
4
Affects Status Importance Assigned to Milestone
Anewt
Invalid
Wishlist
Unassigned

Bug Description

Feature request: SafeFilenameValidator. Should validate simple filenames, optionally allowing directories (but no / or ../ at the start should be allowed).

Tags: validators
wouter bolsterlee (wbolster)
Changed in anewt:
assignee: nobody → uws
wouter bolsterlee (wbolster)
Changed in anewt:
status: New → Accepted
Revision history for this message
wouter bolsterlee (wbolster) wrote :

Sander, does this make any sense? If not, please mark this INVALID.

(I don't use file upload controls so I don't have any opinion.)

Changed in anewt:
assignee: uws → sander-sinaasappel
Revision history for this message
Sander van Schouwenburg (Sandworm) (sander-sinaasappel) wrote :

If you're talking about the file upload control then no, this probably doesn't make a lot of sense. File uploads only specify a filename, not a directory. In the past I've used complex file upload controls with an option of manually specifying a file on the server, but I don't believe the version in anewt has this option.

I'm not really sure about a potential exploit with uploading a file with special/directory characters in the name. It's possible they are not properly escaped, but I'm not really sure how to test this. Windows doesn't allow me to create a file with a '/' or '\' in the name, and I don't think the browsers allow me to manually override the filename.

Revision history for this message
wouter bolsterlee (wbolster) wrote :

Ah well, I'll just mark this invalid.

Changed in anewt:
assignee: sander-sinaasappel → nobody
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.