File UploadΒΆ
The python scripts in this page and in the next one will try to save an uploaded file in a directory named files in the directory where it is running. If the directory where the script is running is /path/to/dir
then the /path/to/dir/files
directory must exist. If it does not it will fail.
To upload a file the HTML form must have the enctype attribute set to multipart/form-data. The input tag with the file type will create a “Browse” button.
<html><body>
<form enctype="multipart/form-data" action="save_file.py" method="post">
<p>File: <input type="file" name="file"></p>
<p><input type="submit" value="Upload"></p>
</form>
</body></html>
The cgi.FieldStorage.getfirst()
and cgi.FieldStorage.getlist()
methods will only return the file(s) content. To also get the filename it is necessary to access a nested cgi.FieldStorage
instance by its index in the top cgi.FieldStorage
instance:
#!/usr/bin/env python
import cgi, os
import cgitb; cgitb.enable()
try: # Windows needs stdio set for binary mode.
import msvcrt
msvcrt.setmode (0, os.O_BINARY) # stdin = 0
msvcrt.setmode (1, os.O_BINARY) # stdout = 1
except ImportError:
pass
form = cgi.FieldStorage()
# A nested FieldStorage instance holds the file
fileitem = form['file']
# Test if the file was uploaded
if fileitem.filename:
# strip leading path from file name
# to avoid directory traversal attacks
fn = os.path.basename(fileitem.filename)
open('files/' + fn, 'wb').write(fileitem.file.read())
message = 'The file "' + fn + '" was uploaded successfully'
else:
message = 'No file was uploaded'
print """\
Content-Type: text/html\n
<html><body>
<p>%s</p>
</body></html>
""" % (message,)
A directory traversal attack is one where the attacker submits a file with a leading path like in ../../attacker_program
. This way he can save a program wherever the Apache user has write permission. Or read a file if the target script reads files.