Struct multipart::server::SavedFile
[−]
[src]
pub struct SavedFile {
pub path: PathBuf,
pub filename: Option<String>,
pub size: u64,
pub truncated: bool,
// some fields omitted
}A file saved to the local filesystem from a multipart request.
Fields
path: PathBuf
The complete path this file was saved at.
filename: Option<String>
The original filename of this file, if one was provided in the request.
Warning: Provided by Client! Do not trust user input!
You should treat this value as untrustworthy because it is an arbitrary string provided by the client. You should not blindly append it to a directory path and save the file there, as such behavior could easily be exploited by a malicious client.
It is a serious security risk to create files or directories with paths based on user input. A malicious user could craft a path which can be used to overwrite important files, such as web templates, static assets, Javascript files, database files, configuration files, etc., if they are writable by the server process.
This can be mitigated somewhat by setting filesystem permissions as conservatively as possible and running the server under its own user with restricted permissions, but you should still not use user input directly as filesystem paths. If it is truly necessary, you should sanitize filenames such that they cannot be misinterpreted by the OS.
size: u64
The number of bytes written to the disk. May be truncated, check the truncated flag
before making any assumptions based on this number.
truncated: bool
If the file save limit was hit and the saved file ended up truncated.