Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Any program that uses filenames as keys (and there are many) can have this vulnerability if the input validation has a weakness.

That's why things like upload sites usually ignore the provided file name and generate their own (unique) one, or else limit it to a very safe subset like [0-9A-Za-z_]



The POSIX portable filename character set is:

  A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
  a b c d e f g h i j k l m n o p q r s t u v w x y z
  0 1 2 3 4 5 6 7 8 9 . _ -
Additionally:

* The slash `/` is portable as a separator.

* The filename should not be empty

* The filenames `.` and `..` are special. (in many contexts it's reasonable to exclude all components that start with a dot)

* The filename should not start with a `-`

* The entire path should be no more than 256 bytes and no component should be more than 14 bytes (widely ignored since we assume modern filesystems).




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: