Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Filenames with a '\' are not returned as entered

See original GitHub issue

What I tried: uploading a file foo\n.csv.xls to test my errors logs

What happened: .name was set to n.csv.xls, so my error logs show incorrect data

What I expected to happen: .name set to foo\n.csv.xls

Line causing the problem: https://github.com/felixge/node-formidable/blob/2f9db9fd87a833c1bd095041e78317557172b7f7/lib/incoming_form.js#L438

Issue Analytics

State:
Created 6 years ago
Comments:15 (8 by maintainers)

Top GitHub Comments

2reactions

xargumentscommented, Nov 27, 2019

@mclark-newvistas, thanks a lot for useful suggestions.

About replacing slashes with with “_”: it seems to be another efficient way to go without breaking most of old apps. That way very poorly written apps may get broken only.

About “validate your inputs”: Agree, it would enforce more security to the apps. Yet the lib itself is “low-level package” that is used by many many other libs. It shouldn’t do or enforce much validations/sanitizations/security since it’s primary job is file uploads, not file security. Unix way - “Write components that do one thing and do it well; write components that work together”.

Personally, I think we need to create (or use) a file-name validation/sanitization library, and use it in conjuction with Formidable (not “from within Formidable”). Afterwards, add an example to docs so that users were aware of it. I had created such library for file name input validation/sanitization which conforms to many file name RFCs and security checklists. Perhaps some day I’ll port it to JS and open-source it (when have time).

We will still come back to this when implementing newer version, and - based on backward compatibility of the change - we will add it to v1.3 or v2.0.

Keeping this ticket open for more suggestions/discussions. Thanks.

2reactions

mclark-newvistascommented, Feb 19, 2019

@xarguments I’m fine w/OS dependent behavior personally, though I recognize you might feel it violates the Principle of Least Surprise for enough of your users to matter.

Given your reasonable preference for consistency, I’d recommend taking the same approach I’ve seen web browsers take when downloading an invalid filename. Replace the offending character with something else - typically a _. I would not have been very surprised had my filename coming from Formidable been foo_n.csv.xls, but was extremely surprised that it was truncated.

Adding a flag is typically not the best approach - increases configuration complexity, documentation surface area, etc. Adding a flag which can introduce a security hole even more so.