I have the following problem, I have developed a module for uploading files using ajax + jquery + laravel 5.1, the problem I have is when I try to upload a file with a single quote inside its name, example: name of my mexico file' s.pdf When running the process locally (on my pc) I do not present the problem, the conflict arises when I try to do it on my production site (shared hosting).
error:
Request URL: http: // **** / upload
Request Method: POST
Status Code: 403 Forbidden
My answer will deal with two topics: 1. The possible solution to the subject of the quote, which is generalizable to the use of "special" characters and 2. The terrible security hole that you create in your production site as a result of your handling of file names.
Many operating systems (especially the unix-linux family) restrict the creation of file names and directories to a character set limited to letters, numbers, hyphens, periods, spaces, and reject characters such as quotes with letters Accents etc. Some mark with starting point or bows the hidden files. So, if you can create (upload and save) the file without a quote, you can expect your hosting to impose that limitation on you.
The use of names as they are collected by $ _FILES is totally discouraged for security reasons such as the following:
Additionally, if the name contains sets of points and separators, it can cause a "movement" within the directory system and replace sensitive files or go to a directory where it can be executed.
On the other hand, suppose a "naive" attack that does not seek to harm the system, or even to make an intrusion: They put you to harbor pornography or warez or socially or politically dangerous information, and as they know the file names , they know what paths to offer to their future users or contacts.
There is more, but it is not justified to extend, for now. I leave this example to an answer so that you see a serious attack A database delete attack
From all this it follows that you should NEVER use the file names offered by users; it is BAD PRACTICE to do so (sorry the screams) and they must be saved as metadata or as complementary information to the records of the names with which they are stored. Files that upload to the server should be saved using pseudo-random and secure names, with read-only permission, in directories without permission to execute.