From 315585db362add0d6ab35cce1ea51344181b739b Mon Sep 17 00:00:00 2001
From: orhun <orhun@archlinux.org>
Date: Wed, 28 Jul 2021 00:13:14 +0300
Subject: [PATCH] fix(upload): prevent path traversal on upload directory

closes #2
---
 src/file.rs | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/file.rs b/src/file.rs
index 2996bcd..d97669f 100644
--- a/src/file.rs
+++ b/src/file.rs
@@ -1,6 +1,7 @@
 use crate::config::Config;
 use std::fs::File;
 use std::io::{Result as IoResult, Write};
+use std::path::PathBuf;
 
 /// Writes the bytes to a file in upload directory.
 ///
@@ -10,10 +11,16 @@ use std::io::{Result as IoResult, Write};
 ///
 /// [`default_extension`]: crate::config::PasteConfig::default_extension
 /// [`random_url.enabled`]: crate::random::RandomURLConfig::enabled
-pub fn save(mut file_name: &str, bytes: &[u8], config: &Config) -> IoResult<String> {
-    if file_name == "-" {
-        file_name = "stdin";
-    }
+pub fn save(file_name: &str, bytes: &[u8], config: &Config) -> IoResult<String> {
+    let file_name = match PathBuf::from(file_name)
+        .file_name()
+        .map(|v| v.to_str())
+        .flatten()
+    {
+        Some("-") => String::from("stdin"),
+        Some(v) => v.to_string(),
+        None => String::from("file"),
+    };
     let mut path = config.server.upload_path.join(file_name);
     match path.clone().extension() {
         Some(extension) => {