1

In https://laravel.com/docs/9.x/filesystem#file-uploads I read as file custom file uploading :

However, keep in mind that the getClientOriginalName and getClientOriginalExtension methods are considered unsafe, 
as the file name and extension may be tampered with by a malicious user. For this reason, you should typically prefer the 
hashName and extension methods to get a name and an extension for the given file upload:

I do not like using of hashName I would prefer original name, making it safe. I wonder what how file name can be unsafe ? I know that say login/username can be used to bypass login procedure. But File name ? If it can be unsafe, how to modify ot to make safe ?

Thanks in advance!

Petro Gromovo
  • 1,755
  • 5
  • 33
  • 91
  • 1
    what if two users upload a file with the same file name ? – jmvcollaborator Sep 03 '22 at 15:11
  • 1
    Even though [this post](https://lessthan12ms.com/dont-trust-files-users-upload-to-your-server.html) doesn't cover both file name and extension, at least it can give you an idea of the kind of things that can happen. Also, generating a file name you reduce significantly the chances of storing files with same name. – Kenny Horna Sep 03 '22 at 15:13

1 Answers1

1

A few things i had to implement to kinda avoid this security hole since nothing is safe nowadays.

1- Use a custom approach to name files, you can add a GUID for instance to the client file name.

2-Add right after <form method="POST "enctype=”multipart/form-data"

3-for the validation you can add

'image' =>  'file|mimes:jpg,jpeg,png,gif|max:1024',
jmvcollaborator
  • 2,141
  • 1
  • 6
  • 17
  • I am pondering the same problem. I am using ```$this->photo->store('photos');``` to store an image, and it creates a unique name (guid). but i think i want to store the original name in a table, so I am trying ```$name = htmlspecialchars($this->photo->getClientOriginalName());``` hoping the html() funciton will take out anyting dangerous. I'm not sure that is enough. as u know laravel docs recommend using $file->hashName(), but what good is the hash name? you cannot get the original name of the file from the hashname I don't think; hashName() will return a different name for the same file – Robert Bryan Davis Sep 17 '22 at 22:12
  • a good practice is to store it as hash+datetime.now you can even tokenize that concatenation to simplify any query – jmvcollaborator Sep 17 '22 at 22:39