Skip to content

Additional validation for st.file_uploader files #11883

Closed
#11884
Closed
Additional validation for st.file_uploader files#11883
#11884
Labels
feature:st.file_uploaderRelated to the `st.file_uploader` widgettype:enhancementRequests for feature enhancements or new features
@sfc-gh-lwilby

Description

@sfc-gh-lwilby
sfc-gh-lwilby
opened on Jul 8, 2025

Checklist

  • I have searched the existing issues for similar feature requests.
  • I added a descriptive title and summary to this issue.

Summary

Only literal comparison is used to enforce file extension restriction.

Users can upload file named "filename.anyExt:$fakeStream.allowedExt" to bypass st.file_uploader type restriction on NTFS.

The request is to add additional validation by putting some kind of validation in the file name for invalid/malicious characters i.e. ', “, :, ; etc.

Note: Streamlit considers this feature a usability feature and expects developers to do additional security validation as required by their application.

Why?

No response

How?

No response

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature:st.file_uploaderRelated to the `st.file_uploader` widgettype:enhancementRequests for feature enhancements or new features

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions