SQLFORM upload field, absolute filepath
324 views
Skip to first unread message
Thadeus Burgess
Nov 23, 2009, 10:21:48 PM11/23/09
to web...@googlegroups.com
How do I get the new filename of an uploaded file? Along with its new absolute path..
Below, from the book, does not exist.
.... web2py 2nd edition pg 196 p. 2.....
Only its extension is preserved. This is a security requirement since the
filename may contain special characters that could allow a visitor to perform
directory traversal attacks or other malicious operations.
The new filename is also stored in form.vars.image newfilename.
When editing the record using an UPDATE form, it would be nice to
display a link to the existing uploaded file, and web2py provides a way to
do it.
-Thadeus
Below, from the book, does not exist.
.... web2py 2nd edition pg 196 p. 2.....
Only its extension is preserved. This is a security requirement since the
filename may contain special characters that could allow a visitor to perform
directory traversal attacks or other malicious operations.
The new filename is also stored in form.vars.image newfilename.
When editing the record using an UPDATE form, it would be nice to
display a link to the existing uploaded file, and web2py provides a way to
do it.
-Thadeus
mr.freeze
Nov 23, 2009, 10:46:09 PM11/23/09
to web2py-users
I believe it is form.vars.<upload_field>_newfilename. You should be
able to get the path with:
os.path.join
(request.folder,'uploads',form.vars.<upload_field>_newfilename)
There may be a better way though.
able to get the path with:
os.path.join
(request.folder,'uploads',form.vars.<upload_field>_newfilename)
There may be a better way though.
Thadeus Burgess
Nov 23, 2009, 10:53:04 PM11/23/09
to web...@googlegroups.com
The problem is I am trying to get the file from the function in SQLFORM.onvalidation... and this happens before the file gets renamed or saved to the disk. The only way i see of accomplishing this is
if form.accepts(request.vars, session, dbio=False):
#def is_plugin_archive(form)
#import tarfile, os
#path = os.path.join(db._folder, '..', 'uploads', form.vars.file_newfilename)
#if not tarfile.is_tarfile(path):
#form.errors.file = "Not a valid tar archive"
is_plugin_archive(form)
if not form.errors:
session.flash = "Version uploaded."
redirect(URL(r=request, f='plug', args=plugin.id))
else:
response.flash = "There were errors with the file"
elif form.errors:
response.flash = "There were errors"
-Thadeus
if form.accepts(request.vars, session, dbio=False):
#def is_plugin_archive(form)
#import tarfile, os
#path = os.path.join(db._folder, '..', 'uploads', form.vars.file_newfilename)
#if not tarfile.is_tarfile(path):
#form.errors.file = "Not a valid tar archive"
is_plugin_archive(form)
if not form.errors:
session.flash = "Version uploaded."
redirect(URL(r=request, f='plug', args=plugin.id))
else:
response.flash = "There were errors with the file"
elif form.errors:
response.flash = "There were errors"
-Thadeus
Richard
Nov 23, 2009, 11:31:08 PM11/23/09
to web2py-users
IIRC, you can use db.table.field.store(request.vars.field) to get the
web2py generated filename.
web2py generated filename.
Thadeus Burgess
Nov 23, 2009, 11:47:28 PM11/23/09
to web...@googlegroups.com
Ah yes would love to, however it ends up copy the file twice, since it will do it in my function, and then again later on in SQLFORM.accepts.
This is the modified version, it works, I just need to make sure the file is not too large for the server to handle.
The limitation really comes from tarfile.is_tarfile, it expects and requires a filename, because it wants to open the file itself. Therefore I need a copy of the file somewhere besides in memory.
Any ideas on improvements or a better way?
def is_valid_tar(form):
import tarfile, os, random, shutil
tmppath = os.path.join(request.folder, 'uploads', 'tmpupf%f.temp.w2p' % random.random())
f = form.vars.file.file
try:
dest_file = open(tmppath, 'wb')
shutil.copyfileobj(f, dest_file)
except:
pass
finally:
dest_file.close()
if not tarfile.is_tarfile(tmppath):
form.errors.file = "Invalid file format"
try:
os.remove(tmppath)
except:
pass
#...
form.accepts(...onvalidation=is_valid_tar)
-Thadeus
This is the modified version, it works, I just need to make sure the file is not too large for the server to handle.
The limitation really comes from tarfile.is_tarfile, it expects and requires a filename, because it wants to open the file itself. Therefore I need a copy of the file somewhere besides in memory.
Any ideas on improvements or a better way?
def is_valid_tar(form):
import tarfile, os, random, shutil
tmppath = os.path.join(request.folder, 'uploads', 'tmpupf%f.temp.w2p' % random.random())
f = form.vars.file.file
try:
dest_file = open(tmppath, 'wb')
shutil.copyfileobj(f, dest_file)
except:
pass
finally:
dest_file.close()
if not tarfile.is_tarfile(tmppath):
form.errors.file = "Invalid file format"
try:
os.remove(tmppath)
except:
pass
#...
form.accepts(...onvalidation=is_valid_tar)
-Thadeus
Richard
Nov 24, 2009, 7:03:57 PM11/24/09
to web2py-users
instead of using is_tarfile() you could use the TarFile class (which
can take a file object) to check whether the data can be interpreted
as a tar file:
from tarfile import TarFile, TarError
from StringIO import StringIO
try:
TarFile(fileobj=StringIO(data))
except TarError:
print "Not a tar file"
can take a file object) to check whether the data can be interpreted
as a tar file:
from tarfile import TarFile, TarError
from StringIO import StringIO
try:
TarFile(fileobj=StringIO(data))
except TarError:
print "Not a tar file"
mdipierro
Nov 24, 2009, 7:37:13 PM11/24/09
to web2py-users
basically we do that now for w2p files.
Thadeus Burgess
Nov 24, 2009, 7:39:17 PM11/24/09
to web...@googlegroups.com
I have tried this, and it throws a read error exception on even valid tar files.
-Thadeus
-Thadeus
Reply all
Reply to author
Forward
0 new messages