If we have a web page that able to read or delete file (based on name) inside certain folder, for example: 'public/upload/'
, what kind of filtering we must use to prevent security issues?
For example in Ruby/Sinatra:
file_name = params[:file_name]
base_dir = 'public/upload/'
# prevent user from entering ../../../../../etc/passwd or any other things
file_name.gsub!('../','')
File.delete "#{base_dir}/#{file_name}"
Is it enough?