Move filename sanitization where it belongs

api/files.py

@@ -110,8 +110,13 @@ def process_form(request, hash_alg=None):
 def getHashingFieldStorage(upload_dir, hash_alg):
     class HashingFieldStorage(cgi.FieldStorage):
         bufsize = 2**20
+
         def make_file(self, binary=None):
-            self.open_file = HashingFile(os.path.join(upload_dir, os.path.basename(self.filename)), hash_alg)
+            # Sanitize form's filename (read: prevent malicious escapes, bad characters, etc)
+            self.filename = os.path.basename(self.filename)
+            self.filename = util.sanitize_string_to_filename(self.filename)
+
+            self.open_file = HashingFile(os.path.join(upload_dir, self.filename), hash_alg)
             return self.open_file
 
         # override private method __write of superclass FieldStorage

api/upload.py

@@ -92,10 +92,6 @@ def process_upload(request, strategy, container_type=None, id=None):
     for field in file_fields:
         field = form[field]
 
-        # Sanitize form's filename (read: prevent malicious escapes, bad characters, etc)
-        field.filename = os.path.basename(field.filename)
-        field.filename = util.sanitize_string_to_filename(field.filename)
-
         # Augment the cgi.FieldStorage with a variety of custom fields.
         # Not the best practice. Open to improvements.
         # These are presumbed to be required by every function later called with field as a parameter.