I'm using uploadify + s3, and when trying to upload a file that has question marks in it, Uploadify doesn't give me the correct filename. For example, if the file is named #?? (copy).mp4, the fileObj.name value sent to the event handlers is # (basically everything after and including the question mark is removed).
Ignoring the original filename altogether is not an option, because I also need the extension.
If I try to change the scriptData at runtime, the upload will fail for some reason.
Can you help me out with this issue?
The problem exists above uploadify in actionscript's FileReference object.
From what I can tell the FileReference object chops the name at the question mark and only returns the part in front it.
I tried finding some way of getting to the original filesystem file name before it populated FileReference(event.target).name but I have next to no knowledge of actionscript.
I've also thought about renaming on the server but no mime type is set when the file is uploaded due to how `FileReference' handles the filename. I think it throws away the file ext since it's after the question mark.
I looked into hacking the uploadify Javascript to deal with file name validation and sanitization client side or send something to the server so the name can be fixed when the file is processed but by by the time uploadify has access to the name it's been truncated.
Related
This question already has answers here:
Use File Content to Determine MIME Type with Node JS
(2 answers)
Closed 2 years ago.
Hey everyone I'm trying to get the file type in Node.js. I have to rename the file before it's uploaded for version control and once the file is written then run some processing on it.
I'm aware that I can check the file type on the client but I still think it would be beneficial to do a server side check as well.
Other solutions have popped the file extension off the file name:
return filename.split('.').pop();
But since I'm renaming this file and a user could simply rename a malicious file to a whitelisted extension I'm looking for a solution that actually determines the file type, specifically CSV.
Can anyone point me in the direction of solving this?
To read the file extension you may use the snippet:
const { extname } = require('path')
console.log(extname('foo.csv')) // .csv
console.log(extname('BAR.CSV')) // .CSV
But since I'm renaming this file and a user could simply rename a malicious file to a whitelisted extension I'm looking for a solution that actually determines the file type, specifically CSV.
Usually, to implement this check, you need to read the magic bytes of the file and act accordingly for a limited set of file types but CSV is not in this list.
CSV is a plain text with a defined format, so you could:
read some line an try to parse them
define that the CSV must have a defined header like id,col1,col2,etc
use some tools that try to guess the mime type of the file (like mime-types )
I'm writing some html that links to a server to download a file. The location always remains the same, however, the file name gets updated.
Basically the link is like this:
http://www.somedomain.com/somedir/dir/filename_revA.pdf
The filename will often get revised ("filename_revB.pdf") for example. My goal would not having to change the html href code each time this happens.
TL;DR-- I want to be able to reference an url, ie: 'http://www.somedomain.com/somedir/dir/'
but not need the filename to fetch the file that is there after the last /.
Would RegEx (javascript) be best solution or a better method? Sorry if it's been asked I tried searching couldn't quite get what I wanted- requesting a URL WITHOUT the filename needed-while still fetching the actual file that's there. There's only one file that is there at all times, but perhaps to be safer using part of the name since only the last part changes?
edit- I don't have access to the server that hosts the file(s).
How to validate the content-type of a file before uploading using JavaScript? I'm not asking the extension validation. I want to validate pdf,plain text and MS word files.
I'm using a django forms.ModelForm to pass file upload widget to html. I couldn't achieve this either on server side. Here is that question,
Django - Uploaded file type validation
Maybe but it won't give you any form of security because an attacker could use other means to upload files thus circumventing your validation.
To check the file type using the extension (which is very insecure since it's dead easy to manipulate it), you can use JavaScript. See this question: How do I Validate the File Type of a File Upload?
[EDIT] After some googling, I found that the input element has an attribute accept which takes a list of mime type patterns. Unfortunately, most browsers ignore it (or only use it to tweak the file selection dialog). See this question: File input 'accept' attribute - is it useful?
[EDIT 2] Right now, it seems that the File API (see "Using files from web applications") is your only way it you really don't want to use file extensions. Each File instance has a type property which contains the mime type.
But this API is work in progress, so it's not available everywhere. And there is no guarantee that you'll get a MIME type (the property can be "").
So I suggest this approach: Try the File API. If it's not available or the type property is empty, use the file extension.
In theory you could use the File API to read the files.
You would then need to write parsers in JavaScript for the file formats you cared about to check if they matched.
I ask here in the hope that some members will be familiar enough with 'plupload' to help.
This little Jquery script is on the way to making my file-upload problems go away, so any help would be greatly appreciated.
Question:
I can upload large files using plupload, but when the appear on the server the name has changed to gibberish,
EG p163g1k1er15n310bi18bq1af61rc21.zip
From my experience with basic upload forms my assumption is that it is writing out a temp filename with the intention of renaming it to the original filename when the chunked sections have been put back together, but for some reason it may not be doing this.
I have changed the permission on the folder to 777, so I'm reasonably sure this isn't the issue.
The runtime being used is Flash (I require the chunking feature). It's version 1.4.3.2
As always, any help would be much appreciated.
There is a configuration option to generate unique file names instead of using the actual file name.
From the docs:
unique_names
Generate unique filenames when uploading. This will generate unqiue
filenames for the files so that they
don't for example collide with
existing ones on the server.
Make sure this option is not enabled in your configuration (it is not by default). There are still some file name cleaning routines run by the default included php upload script...
// Clean the fileName for security reasons
$fileName = preg_replace('/[^\w\._]+/', '', $fileName);
...and an underscore is always appended with a number if the file exists (regardless of configuration), like filename_2.jpg, but aside from that it should not be altering your file names.
EDIT: I've been searching the forums for a solution but coming up short, my last piece of advice is to try the HTML5 runtime, to see if this is related to the Flash runtime somehow, as there have been some issues with previous versions. If all else fails, post on the forum - the admins there are very responsive. Best of luck, please post a solution here if you find it.
Ploploader uses a variable called "unique_names"; in my case this was set to TRUE, however to preserve the actual filenames it should be set to false. Solution came from the Pluploader forum.
To keep original filename, if you use the upload.php provided by plupload then I had to change upload.php line 34 from
$fileName = isset($_REQUEST['name']) ? $_REQUEST['name'] : '';
to
$fileName = isset($_FILES['file']["name"]) ? $_FILES['file']["name"] : '';
I had the same problem. An another solution is to inject real file name as a new input into FormData object.
(I am using chrome and HTML5 runtime!)
in plupload.html5.js file find the creation of object O = new FormData();
and
add some injections with
var oFileName = $("input[name='oFileName']").val();
O.append("oFileName", V.name);
After this adding get the real file name in your server side (for upload.php)
$oFileName = $_REQUEST["oFileName"];
I have a file input in a form that uploads an MP3 file, but I´d like to detect reserved characters to my system in the filename, like ! # or any other.
All codes I´ve found replace these characters, but I just want to detect them to alert the user. I think it will be easy with regular expressions, but I dont know about them.
I´m using JQuery/Javascript.
Edit to improve my problem description:
I´m working in a CodeIgniter application that allows user to upload MP3 files to the server. I use jQuery to manage client side forms. The CI upload class converts spaces in the file name to underscores and everything works. But in testing the application I uploaded an MP3 file with a (!) in the name, and I got troubles with it.
I just want to insert a javascript conditional before the file is uploaded to evaluate if the user´s filename contains a (!) (or any other I´d like to add later) to ask for the file to be renamed if it does.
Consider not blocking any characters at all. It's just a hassle for the user, and on exotic systems with strange path characters, you may end up not letting the user upload anything at all.
Let the user upload the file, and store the file name on the server in URI-Encoded form (in PHP, urlencode() would be the right function to go). This makes the file name compatible with your OS, and allows the user to keep any special characters in it when re-downloading the file.
One way to do this would be to compare the actual value of the input field to one encoded by encodeURIComponent. If they are the same, the filename is safe.
Be aware, though, that the browser may not report any filename at all. My plugin responds to this by returning true if no value is returned. This may, of course, mean that no value has been set.
jQuery plugin:
(function($) {
$.fn.fileNameIsValid = function() {
var val = this[0].value.replace('C:\\fakepath\\', '');
return !val || encodeURIComponent(val) === val;
}
}(jQuery));
You can then call this as so:
if ($('#yourFileInput').fileNameIsValid()) {
// filename validates
}