Uploading files from IE

A

AB

All right... I already hated IE. But, now I do even more. My scripts
upload function is working in Firefox, but not in IE. If I upload a file
from Internet Explorer I get a file on the system named for the full path
from the users computer...

example...
They user uploads C:\mydocs\test.jpg
it ends up at /path/to/webdir/C:\mydocs\test.jpg
instead of /path/to/webdir/test.jpg

This only happens in IE. Firefox, Safari, Opera... all work fine.

This code is to show how I am going about getting the name... not the actual
code from my program.

upload_dir = "/path/to/webdir/"
myForm = cgi.FieldStorage
ulImage = myForm["ulImage"]
myName = ulImage.filename
newFile = file (os.path.join(upload_dir, myName), 'wb')
while 1:
chunk = ulImage.file.read(100000)
if not chunk: break
newFile.write(chunk)
newFile.close()


Thanks for any help.
AG
 
I

Irmen de Jong

AB said:
All right... I already hated IE. But, now I do even more. My scripts
upload function is working in Firefox, but not in IE. If I upload a file
from Internet Explorer I get a file on the system named for the full path
from the users computer...

example...
They user uploads C:\mydocs\test.jpg
it ends up at /path/to/webdir/C:\mydocs\test.jpg
instead of /path/to/webdir/test.jpg
Click to expand...

try something like this:
filename = os.path.basename(fullpathname)

--Irmen
 
A

AB

Irmen de Jong said:
try something like this:
filename = os.path.basename(fullpathname)
Click to expand...

I tried the following with the same result:
myName = ulImage.filename
newFile = file (os.path.join(upload_dir, os.path.basename(myName)), 'wb')

Any other ideas? Seems like it shouldn't be a browser issue though...
 
D

Dennis Lee Bieber

Any other ideas? Seems like it shouldn't be a browser issue though...
Click to expand...

Can you temporarily rig your upload script to return a page with all
the names involved... IE, the server path, the name passed from the
client, etc.

Then try with both browsers to see if they are different.
--
 
A

and-google

AB said:
I tried the following with the same result:
myName = ulImage.filename
newFile = file (os.path.join(upload_dir, os.path.basename(myName)), 'wb')
Click to expand...

os.path is different on your system to the uploader's system. You are
using Unix pathnames, with a '/' separator - they are using Windows
ones, with '\', so os.path.basename won't recognise them as separators.
Old-school-Macintosh and RISC OS machines have different path
separators again.

The Content-Disposition filename parameter can be set by the user-agent
to *anything at all*. Using it without some serious sanitising
beforehand is a recipe for security holes. In your original code an
attacker could have arbitrarily written to any file the web user had
access to. The code with os.path.basename is better but could still be
confused by things like an empty string, '.', '..' or invalid
characters.

It's best not to use any user-submitted data as the basis for
filenames. If you absolutely *must* use Content-Disposition as a local
filename you must send it through some strict checking first, whether
the browser sends full paths to you or not.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Uploading files with cgi - binary-files are truncated !? 0
Java Applet in Mac FireFox sets multiple DIFFERENT cookies 0

Members online

Total: 44 (members: 2, guests: 42)
Robots: 129

Forum statistics

Threads
474,291
Messages
2,571,453
Members
48,131
Latest member
KatlynC08

Latest Threads

Top