This is also true for the filename of an uploaded file.
Now the problem is that there is that principle called “never trust user So what does that secure_filename() function actually do? config, filename )) return redirect ( url_for ( 'download_file', name = filename )) return ''' Upload new File Upload new File ''' filename ): filename = secure_filename ( file. filename = '' : flash ( 'No selected file' ) return redirect ( request. files # If the user does not select a file, the browser submits an # empty file without a filename. files : flash ( 'No file part' ) return redirect ( request. method = 'POST' : # check if the post request has the file part if 'file' not in request. route ( '/', methods = ) def upload_file (): if request. The file and redirects the user to the URL for the uploaded file:ĭef allowed_file ( filename ): return '.' in filename and \įilename. Next the functions that check if an extension is valid and that uploads php files if the serverĮxecutes them, but who has PHP installed on their server, right? :) That way you can make sure that usersĪre not able to upload HTML files that would cause XSS problems (seeĬross-Site Scripting (XSS)). Your users to be able to upload everything there if the server is directly Why do we limit the extensions that are allowed? You probably don’t want UPLOAD_FOLDER is where we will store the uploaded files and theĪLLOWED_EXTENSIONS is the set of allowed file extensions. cure_filename() is explained a little bit later. Import os from flask import Flask, flash, request, redirect, url_for from werkzeug.utils import secure_filename UPLOAD_FOLDER = '/path/to/the/uploads' ALLOWED_EXTENSIONS = app = Flask ( _name_ ) app.