Not handled DecodeError on the server side on file upload with double extension #8544
Open
3 of 4 tasks
Labels
feature:st.file_uploader
status:needs-triage
Has not been triaged by the Streamlit team
type:bug
Something isn't working
Checklist
Summary
Hello streamlit team,
first of all thank you for the great work!
We have developed an application using streamlit, deployed our application as a container using Azure App services and in order to tackle the security concerns we have been performing penetration tests.
A minor finding was related to improper error handling, as both on client side and the server side, a traceback should not be displayed because this can pose security risks.
We can't solve it on the application side as the error gets displayed from the streamlit scripts.
Reproducible Code Example
Steps To Reproduce
- https://portswigger.net/burp/documentation/desktop/getting-started/intercepting-http-traffic
- https://portswigger.net/burp/documentation/desktop/getting-started/modifying-http-requests
Expected Behavior
I expect that the DecodeError is properly handled, no traceback is displayed on server but rather a custom message.
Current Behavior
Error message on server:
Handled error on client:
Is this a regression?
Debug info
Additional Information
No response
The text was updated successfully, but these errors were encountered: