Sanitize filename with user input

Updated . Posted . Visible to the public.

If you have to build a filename (e.g. for use in downloads) that contains user input, keep in mind that malicious input might come from users and could lead to security problems.

Instead of blacklisting characters such as / , . \ ´ etc. better go for a stricter approach and use a whitelist such as:

def sanitize_filename(filename)
  filename.gsub(/[^0-9A-z.\-]/, '_')
end

If you need to have German Umlauts you can use /[^\w\-]/. This, however, will only work if the locale is set to German.
You might also want to transliterate Umlauts before using gsub, e.g.

I18n.transliterate('Übersetzung')
=> 'Uebersetzung'

with the following Hash in <locale>.yml:

i18n:
  transliterate:
    rule:
      Ä: Ae
      Ö: Oe
      Ü: Ue
      ä: ae
      ö: oe
      ü: ue

This will escape all characters except dashes, numbers and alphanumeric characters to underscores:

sanitize_filename "this -> !#+ <- gets sanitized, honey!"
=> "this_-_______-_gets_sanitized__honey_"
Thomas Eisenbarth
makandra.de
Say thanks4
Last edit
Daniel Straßner
Keywords
safe, secure, string
License
Source code in this card is licensed under the MIT License.

Related cards:

Sanitize user-generated filenames and only send files inside a given directory

If in your application your users pass along params that result in filenames, like invoices/generated?number=123. This could be your (very careless) controller method:

def generated
  send_file File.join(Rails.root, 'shared', 'invoices'...

Never use YAML.load with user input

You can get YAML.load to instantiate any Ruby object by embedding the desired class name into the YAML code. E.g. the following will create a new User object and set @email and @password to the given values:

--- !ruby/object:User

...

Automatically build the Passenger Apache module, without interactively asking for user input. 

passenger-install-apache2-module --auto

Ruby: Fixing strings with invalid encoding and converting to UTF-8

When dealing with external data sources, you may have to deal with improperly encoded strings.
While you should prefer deciding on a single encoding with the data-providing party, you can not always force that on external sources.
It gets worse wh...

Safely chain scopes with hash conditions

There is a nasty bug in all version of Rails 2 and some versions of Rails 3.x where [two chained scopes with hash conditions on the same attribute would overwrite each other](https://makandracards.com/makandra/740-know-the-side-effects-of-using-ha...

How to add a user with all privileges to MariaDB

Add a user without password (recommended)

Replace newuser with your desired username:

mysql -uroot -p
CREATE USER 'newuser'@'localhost' IDENTIFIED BY '';
GRANT ALL PRIVILEGES ON * . * TO 'newuser'@'localhost';
FLUSH PRIVILEGES;
exit;
``...

Best Practice: Creating User Accounts Without Sending the Password

In applications without a sign-up, user accounts are usually created by an admin. This imposes two challenges:

  • How to transmit the password securely and
  • How to make the user change the initial password immediately

There is a simple solution:...

Rails: Different flavors of concatting HTML safe strings in helpers

This card describes different flavors for concatting HTML safe strings in a helper method in Rails. You might want to use the tag helper instead of the [con...

Rails migration: Changing a column type without losing the content

The change_column method for rails migrations support casting with a custom SQL statement. This allows us to change a column type and keep the former content as the new type. This way, we can for example prepare an address number column to hold ...

Ruby's percent notation can do more than strings

Percent Notation

We already know that that we can create strings using the percent notation:

%(<foo="bar's ton">) is perfectly fine Ruby.

Modifier

Bu...

Posted by Thomas Eisenbarth to makandra dev (2011-06-28 13:21)
This website uses short-lived cookies to improve usability.
or learn more