Accept file uploads securely: validate MIME type, check size, use secure_filename, save to disk.
File Uploads
from werkzeug.utils import secure_filename
import os
UPLOAD_FOLDER = "uploads"
ALLOWED_EXTENSIONS = {"jpg","jpeg","png","webp","pdf"}
app.config["UPLOAD_FOLDER"] = UPLOAD_FOLDER
app.config["MAX_CONTENT_LENGTH"] = 16 * 1024 * 1024 # 16 MB
def allowed_file(filename):
return "." in filename and filename.rsplit(".",1)[1].lower() in ALLOWED_EXTENSIONS
@app.route("/upload", methods=["POST"])
@login_required
def upload():
if "file" not in request.files:
return jsonify({"error": "No file"}), 400
file = request.files["file"]
if file.filename == "":
return jsonify({"error": "No selected file"}), 400
if not allowed_file(file.filename):
return jsonify({"error": "File type not allowed"}), 400
filename = secure_filename(file.filename)
unique = uuid.uuid4().hex + "_" + filename
file.save(os.path.join(app.config["UPLOAD_FOLDER"], unique))
return jsonify({"filename": unique}), 201