<-- Back

File download name parameter manipulation via URL in the Mendix file download widget

Issue

When downloading a file using the standard File Download widget, the downloaded filename can be modified by changing the name parameter in the download URL.

For example, after uploading a file and downloading it through the application, the generated URL may look like:

/file?guid=<systemfiledocumentUUID>&changedDate=<date>&name=OriginalFile.pdf&target=internal

If a user manually changes the name parameter in the URL, such as:

/file?guid=<systemfiledocumentUUID>&changedDate=<date>&name=test.exe&target=internal

 

The file will be downloaded using the modified filename instead of the original filename.

This behavior may raise concerns about whether users can manipulate downloaded file names.

Environment

Studio Pro (all versions)

Cause

The name parameter in the file download URL is used only to specify the filename presented to the browser during the download process. It does not affect the file content stored on the server.

File downloads are performed through an HTTP GET request, which only retrieves existing content. No data is written to the server, and the file itself is not modified. As a result:

  • The server does not execute or process the file based on the provided filename.

  • Modifying the name parameter does not change the file contents.

  • The behavior does not allow code injection or execution of arbitrary files on the Mendix server.

  • Only users with the required access permissions can obtain the download URL and download the file.

The filename displayed to the user is, therefore, client-controlled and intended primarily for download presentation purposes.

Solution/Workaround

This behavior is currently expected and cannot be prevented on the Mendix platform side, as users can manually append or modify query parameters in a URL.

A workaround can be implemented by creating a custom nanoflow-based download button instead of using the standard File Download widget. This approach removes the name parameter from the generated download URL.

For example:

/file?guid=<systemfiledocumentUUID>

 

However, this does not fully prevent filename manipulation, since a user can still manually modify the URL and append a custom name parameter, such as:

/file?guid=<systemfiledocumentUUID>&name=test.exe

 

The file will still download with the specified filename, while the file content remains unchanged.

Therefore, there is currently no platform-level mechanism to enforce the original filename during download or prevent users from altering the filename presented by their browser.

Internal information related

280592

Additional information

Mendix documentation: File Manager

Have more questions? Submit a request

0 Comments

Article is closed for comments.

To provide feedback, please open a ticket here. Don't forget to include the article's URL along with the feedback you would like to provide.