Can safely save a file of arbitrary name?

[ericman314]

Is there any provision to check whether a filename is valid, or is this something I have to do explicitly?

For example, in my server.js:

app.post('/upload-file', function(req, res) {
  var filename = req.files.file.name;
  req.files.file.mv(__dirname + '/public/img/' + filename, function(err) {
    if(err) {
      res.json({err: err});
    }
    else {
      res.json({answer: "File transfer completed"});    
    }
  });
});

In this example, if the user's filename was ../../server.js, this could really mess things up badly.

[richardgirges]

@ericman314 there is currently no provision to validate the filename, for now you'll have to check manually - but I'll start working on this and have it out in the next release.

[richardgirges]

Hi @ericman314 a new feature was added to address this issue in Release v0.0.6. Checkout the documentation here:

https://github.com/richardgirges/express-fileupload#available-options

You can now pass in a new option called "safeFileNames" to strip out bad characters from file names. This feature is off by default.