filename `'.ext'` seen as a valid file extension

[jkittner]

trafficstars

When using flask_wtf.file.FileAllowed to validate that a file has the correct file extension, a file named '.ext' is seen as having the correct file extension. For me this behavior was a little unexpected and I was wondering if this is intentional/correct.

• on the one hand it does end with .ext so it is valid
• on the other hand is this actually the file extension or the filename e.g. like a hidden file without an extension?

os.path.splitext('.ext') returns ('.ext', '') so it treats it as the filename, not the extension. Would it be consistent/more correct to replace the .endswith here with a comparision to os.path.splitext()[1]? https://github.com/wtforms/flask-wtf/blob/6d2fcde659041aa7579cbb51ce4f329d88442716/src/flask_wtf/file.py#L84

a fix could be something like this maybe?: https://github.com/theendlessriver13/flask-wtf/blob/741aa2ed138e3b821b364b41496d4af91aec1e9b/src/flask_wtf/file.py#L84-L87

Any thoughts on this? I think an (explicit) workaround would be to add a separate custom validator checking the filename itself?

[jkittner]

Mhm I though a little more on this an my solution would not allow e.g. tar.gz (would become gz only), so a different approach would be necessary to solve both cases...

[PeterDaveHello]

If the filename is tar.gz or example.tar.gz, treat gz as its extension seems to be reasonable, you can and should be able to unzip it to tar or example.tar, and example.tar will be able to be un-tared.