blob: 4ae822e305022ba53e9413de5952e3b2679f554d (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
Based on upstream 3ab8ec7d14178bb2ac39a4bcc972f2258254196e with unnecessary
conflicting hunk dropped
diff --git a/src/actix/api/snapshot_api.rs b/src/actix/api/snapshot_api.rs
index b8b40c6b..0fbed314 100644
--- a/src/actix/api/snapshot_api.rs
+++ b/src/actix/api/snapshot_api.rs
@@ -75,6 +75,15 @@ pub async fn do_save_uploaded_snapshot(
) -> std::result::Result<Url, StorageError> {
let filename = snapshot
.file_name
+ // Sanitize the file name:
+ // - only take the top level path (no directories such as ../)
+ // - require the file name to be valid UTF-8
+ .and_then(|x| {
+ Path::new(&x)
+ .file_name()
+ .map(|filename| filename.to_owned())
+ })
+ .and_then(|x| x.to_str().map(|x| x.to_owned()))
.unwrap_or_else(|| Uuid::new_v4().to_string());
let collection_snapshot_path = toc.snapshots_path_for_collection(collection_name);
if !collection_snapshot_path.exists() {
|