Filenames for file uploads in form

  • I have a form posting to Perch forms that includes a file upload input, allowing users of the website to upload photos. Filenames of uploaded files are not sanitised - punctuation symbols like brackets and ampersands are accepted and so are spaces in the filenames.

    Is that working correctly? The only operation affecting filenames appears to be the addition of a timestamp if a file has the same name as an existing file in the same directory.

    I'm curious because files uploaded using the Perch admin are subject to much more stringent sanitisation.

    The template is in the templates/content directory (not templates/forms). Template code (abbreviated):

    1. ...
    2. <perch:form id="cbd_form" method="post" app="perch_forms" action="#success">
    3. ...
    4. <div>
    5. <perch:label for="cb_image_import1">Photo 1 (.jpg or .png)</perch:label>
    6. <perch:error for="cb_image_import1" type="filetype"> <div class="error">The file must be an image eg .jpg, .png.</div></perch:error>
    7. <perch:error for="cb_image_import1" type="fileupload"> <div class="error">Sorry but we couldn't upload that file - the file may be too large. Please email the images to us separately, clearly identifying which building they relate to.</div></perch:error>
    8. <perch:input id="cb_image_import1" type="image" label="Photo 1">
    9. </div>
    10. ...


    Perch Runway: 3.1.5, PHP: 7.3.11, MySQL: mysqlnd 5.0.12-dev - 20150407 - $Id: 7cc7cc96e675f6d72e5cf0f267f48e167c2abb23 $, with PDO

    Server OS: WINNT, apache2handler

    Installed apps: content (3.1.5), assets (3.1.5), categories (3.1.5), perch_forms (1.12)

    App runtimes: <?php $apps_list = [ 'perch_forms', ]; ?>


    PERCH_PATH: C:\wamp\www\XXXX\cms

    PERCH_CORE: C:\wamp\www\XXXX\cms\core

    PERCH_RESFILEPATH: C:\wamp\www\XXXX\resources

    Image manipulation: GD

    PHP limits: Max upload 256M, Max POST 256M, Memory: 256M, Total max file upload: 256M

    F1: 3b606135b33e6a102526838f4152a807

    Resource folder writeable: Yes

    HTTP_HOST: XXXX.local

    DOCUMENT_ROOT: C:/wamp/www/XXXX

    REQUEST_URI: /cms/core/settings/diagnostics/

    SCRIPT_NAME: /cms/core/settings/diagnostics/index.php

  • drewm

    Approved the thread.