`/utilities/upload` can modify the requested filename (Very problematic ๐ )
chrisjsewell opened this issue ยท 3 comments
During the upload operation, a function secure_filename
is applied to the filename:
firecrest/src/utilities/utilities.py
Line 372 in 7f02d11
(this function: https://github.com/pallets/werkzeug/blob/417268cb0ff2ecf8da29f80d542b0b10c97bab01/src/werkzeug/utils.py#L194)
This is really problematic because, among other things, it will strip _
and .
from the ends of the filename.
In AiiDA, for example, we use _aiidasubmit.sh
for all SLURM submission scripts, which now gets copied as aiidasubmit.sh
, and thus everything fails because it cannot find the file ๐ญ
Obviously, I can understand if you want to have security checks, but especially stripping _
seems very unnecessary?
I would probably expect at least that the upload simply failed, if the "secure" filename was different from the original filename, otherwise it leads to very unexpected (and difficult to debug) outcomes
Note there was an issue opened on this _
stripping, but its not very informative ๐คท : pallets/werkzeug#1398
Note also, this secure_filename
function is used in a few other places
Just for the record:
this wired ๐ issue is fixed now. I think we can close here.