Skip to content

Can safely save a file of arbitrary name? #13

New issue
New issue
Closed
Closed
Can safely save a file of arbitrary name?#13
Labels
enhancement
@ericman314

Description

@ericman314
ericman314
opened on Nov 4, 2016

Is there any provision to check whether a filename is valid, or is this something I have to do explicitly?

For example, in my server.js:

app.post('/upload-file', function(req, res) {
  var filename = req.files.file.name;
  req.files.file.mv(__dirname + '/public/img/' + filename, function(err) {
    if(err) {
      res.json({err: err});
    }
    else {
      res.json({answer: "File transfer completed"});    
    }
  });
});

In this example, if the user's filename was ../../server.js, this could really mess things up badly.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancement

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions