web2py renames the file as a security measure to prevent directory
traversal attacks. You can read more about it here ...
http://www.web2py.com/books/default/search/29?search=traversal
and here ...
http://en.wikipedia.org/wiki/Directory_traversal_attack
As you point out, web2py stores the new file name in the upload field (that
field initially contains the cgi.FieldStorage() object for the file itself
and then it's replaced with the new file name). Rather than store the
original file name in that field, you may want to consider storing the
original file name in a separate field. You can do this using a compute
field.
Field('original_file_name', compute=doc_filename)
and then ...
def doc_filename(row):
if request.vars.upload_field_name != None and not isinstance(request.
vars.upload_field_name, str):
return request.vars.upload_field_name.filename
Note that because request.vars. upload_field_name initially contains a
cgi.FieldStorage() object you can't just use
"if request.vars. upload_field_name" and since it is then replaced with the
filename you need to test for the filename string for edits/updates.
Also note that I found the instructions in the book to store the original
filename
(
http://www.web2py.com/books/default/chapter/29/07/forms-and-validators?search=original+filename#Storing-the-original-filename
)
was not sufficient to update the original filename for edit/update forms.
I also was able to also store the file size and file type using compute
fields and these statements:
def doc_filetype(row):
if request.vars.upload_field_name != None and not isinstance(request.
vars.upload_field_name, str):
return request.vars.upload_field_name.filename.split('.')[-1]
def doc_filesize(row):
if request.vars.upload_field_name != None and not isinstance(request.
vars.upload_field_name, str):
return request.env.content_length
On Thursday, June 5, 2014 7:46:32 PM UTC-4, Spokes wrote:
>
> When you upload a file with SQLFORM factory, the file is assigned a name
> along the lines of "no_table.[something1].[something2]...". If you've
> manually written the form validation/accept code, you can change the file
> name that is stored in the table by changing the form.vars.[name_of_field]
> variable corresponding to the file. I'm changing the "no_table" prefix of
> the filename to the name of the corresponding table, for example. This
> changes the table entry for the file name, but does not modify the name of
> the uploaded file itself.
>
> How does one modify the name of the file that is uploaded without using
> SQLFORM.factory's tablename argument? Thank you.
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
