chrisjsewell
commented
1 year ago Note there was an issue opened on this _ stripping, but its not very informative 🤷 : https://github.com/pallets/werkzeug/issues/1398
Open chrisjsewell opened 1 year ago
chrisjsewell
commented
1 year ago Note there was an issue opened on this _ stripping, but its not very informative 🤷 : https://github.com/pallets/werkzeug/issues/1398
chrisjsewell
commented
1 year ago Note also, this secure_filename function is used in a few other places
khsrali
commented
1 month ago Just for the record: this wired :smile: issue is fixed now. I think we can close here.
During the upload operation, a function
secure_filenameis applied to the filename: https://github.com/eth-cscs/firecrest/blob/7f02d11b224e4faee7f4a3b35211acb9c1cc2c6a/src/utilities/utilities.py#L372 (this function: https://github.com/pallets/werkzeug/blob/417268cb0ff2ecf8da29f80d542b0b10c97bab01/src/werkzeug/utils.py#L194)This is really problematic because, among other things, it will strip
_and.from the ends of the filename. In AiiDA, for example, we use_aiidasubmit.shfor all SLURM submission scripts, which now gets copied asaiidasubmit.sh, and thus everything fails because it cannot find the file ðŸ˜Obviously, I can understand if you want to have security checks, but especially stripping
_seems very unnecessary?I would probably expect at least that the upload simply failed, if the "secure" filename was different from the original filename, otherwise it leads to very unexpected (and difficult to debug) outcomes