Adding max_length in secure_filename

1) adding max_length parameter which truncates the file but includes the ext. 2) This is presently set to None but can be set 255 characters.
falconry · Dec 12, 2024 · fe1a82a · fe1a82a
1 parent 11076b8
commit fe1a82a
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/falcon/media/multipart.py b/falcon/media/multipart.py
@@ -592,6 +592,15 @@ class MultipartParseOptions:
     If the body part headers size exceeds this value, an instance of
     :class:`.MultipartParseError` will be raised.
     """
+    max_filename_length: Optional[int]
+    """The maximum length of filenames in multipart forms (default ``None``).
+
+    If the filename exceeds this value, it will be truncated while preserving
+    the file extension. Defaults to ``None`` for backward compatibility.
+
+    .. note::
+        Starting from Falcon 5.0, this will default to 255 characters.
+    """
     media_handlers: Handlers
     """A dict-like object for configuring the media-types to handle.
 

diff --git a/falcon/util/misc.py b/falcon/util/misc.py
@@ -32,6 +32,7 @@
 import re
 from typing import Any, Callable, Dict, List, Mapping, Optional, Tuple, Union
 import unicodedata
+import os
 
 from falcon import status_codes
 from falcon.constants import PYPY
@@ -336,7 +337,7 @@ def get_argnames(func: Callable[..., Any]) -> List[str]:
     return args
 
 
-def secure_filename(filename: str) -> str:
+def secure_filename(filename: str, max_length: int = None) -> str:
     """Sanitize the provided `filename` to contain only ASCII characters.
 
     Only ASCII alphanumerals, ``'.'``, ``'-'`` and ``'_'`` are allowed for
@@ -357,6 +358,8 @@ def secure_filename(filename: str) -> str:
     Args:
         filename (str): Arbitrary filename input from the request, such as a
             multipart form filename field.
+        max_length (int, optional): Maximum length of the sanitized filename,
+            including the file extension. If None, no truncation is applied.
 
     Returns:
         str: The sanitized filename.
@@ -373,7 +376,13 @@ def secure_filename(filename: str) -> str:
     filename = unicodedata.normalize('NFKD', filename)
     if filename.startswith('.'):
         filename = filename.replace('.', '_', 1)
-    return _UNSAFE_CHARS.sub('_', filename)
+    filename = _UNSAFE_CHARS.sub('_', filename)
+
+    if max_length is not None and len(filename) > max_length:
+        name, ext = os.path.splitext(filename)
+        filename = name[:max_length - len(ext)] + ext
+
+    return filename
 
 
 @_lru_cache_for_simple_logic(maxsize=64)