Should we sanitize file names uploaded to server?

Question

When uploading files to a server. Should the file name be sanitized? i.e. avoiding non-ASCII characters like é or &?

Or should we allow these files to be saved as is?

PS. In Rails 3, I can't remember the method. It changes non-ascii chars to underscores and etc. Someone remind me pls. It's not sanitize. Its a different method.

If you do want to sanitize then here are some suggestions http://stackoverflow.com/questions/3756022/php-how-to-sanitize-uploaded-filenames — yo_man, Oct 04 '11 at 21:21

score 1 · Accepted Answer · answered Oct 04 '11 at 21:18

1

Be aware that you sanitize /, \ and \0 if sent from maliciuos user agents. If your filesystem fully supports Unicode, I would save them as they were sent by agent.

My preferred solution: Use a unique id as filename and store real filename in an additional file or database. So your application gets portable for systems not supporting Unicode

answered Oct 04 '11 at 21:18

UllaDieTrulla

573
1
5
18

And lets say a user decides to download the file. How would I be able to rename this to its original file name before serving it out? – Christian Fazzini Oct 05 '11 at 11:20
Look for header 'Content-Disposition'. – UllaDieTrulla Oct 05 '11 at 17:31

Should we sanitize file names uploaded to server?

1 Answers1