AB wrote: > I tried the following with the same result: > myName = ulImage.filename > newFile = file (os.path.join(upload_dir, os.path.basename(myName)), 'wb')
os.path is different on your system to the uploader's system. You are using Unix pathnames, with a '/' separator - they are using Windows ones, with '\', so os.path.basename won't recognise them as separators. Old-school-Macintosh and RISC OS machines have different path separators again. The Content-Disposition filename parameter can be set by the user-agent to *anything at all*. Using it without some serious sanitising beforehand is a recipe for security holes. In your original code an attacker could have arbitrarily written to any file the web user had access to. The code with os.path.basename is better but could still be confused by things like an empty string, '.', '..' or invalid characters. It's best not to use any user-submitted data as the basis for filenames. If you absolutely *must* use Content-Disposition as a local filename you must send it through some strict checking first, whether the browser sends full paths to you or not. -- And Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ -- http://mail.python.org/mailman/listinfo/python-list
