How can I safely encode a string in Java to use as a filename?

java string file encoding
Steve McLeod picture Steve McLeod · Jul 26, 2009 · Viewed 82.4k times · Source

I'm receiving a string from an external process. I want to use that String to make a filename, and then write to that file. Here's my code snippet to do this:

    String s = ... // comes from external source
    File currentFile = new File(System.getProperty("user.home"), s);
    PrintWriter currentWriter = new PrintWriter(currentFile);

If s contains an invalid character, such as '/' in a Unix-based OS, then a java.io.FileNotFoundException is (rightly) thrown.

How can I safely encode the String so that it can be used as a filename?

Edit: What I'm hoping for is an API call that does this for me.

I can do this:

    String s = ... // comes from external source
    File currentFile = new File(System.getProperty("user.home"), URLEncoder.encode(s, "UTF-8"));
    PrintWriter currentWriter = new PrintWriter(currentFile);

But I'm not sure whether URLEncoder it is reliable for this purpose.

Answer

cletus picture cletus · Jul 26, 2009

My suggestion is to take a "white list" approach, meaning don't try and filter out bad characters. Instead define what is OK. You can either reject the filename or filter it. If you want to filter it:

String name = s.replaceAll("\\W+", "");

What this does is replaces any character that isn't a number, letter or underscore with nothing. Alternatively you could replace them with another character (like an underscore).

The problem is that if this is a shared directory then you don't want file name collision. Even if user storage areas are segregated by user you may end up with a colliding filename just by filtering out bad characters. The name a user put in is often useful if they ever want to download it too.

For this reason I tend to allow the user to enter what they want, store the filename based on a scheme of my own choosing (eg userId_fileId) and then store the user's filename in a database table. That way you can display it back to the user, store things how you want and you don't compromise security or wipe out other files.

You can also hash the file (eg MD5 hash) but then you can't list the files the user put in (not with a meaningful name anyway).

EDIT:Fixed regex for java

Related questions

How do I create a Java string from the contents of a file?

I've been using the idiom below for some time now. And it seems to be the most wide-spread, at least on the sites I've visited. Is there a better/different way to read a file into a string in Java? …

Read More
In Java, how do I parse XML as a String instead of a file?

I have the following code: DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(xmlFile); How can I get it to parse XML contained within a String instead of a file?

Read More
How do I convert a String to an int in Java?

How can I convert a String to an int in Java? My String contains only numbers, and I want to return the number it represents. For example, given the string "1234" the result should be the number 1234.

Read More