amigan/rustypaste-pretty
1
0
Fork 0
mirror of https://github.com/amigan/rustypaste-pretty.git synced 2024-11-21 20:09:48 -05:00
Code Issues Projects Releases Packages Wiki Activity

fix(upload): prevent path traversal on upload directory

Browse source 
closes #2
This commit is contained in:
orhun 2021-07-28 00:13:14 +03:00
parent 60c25e2fbc
commit 315585db36
No known key found for this signature in database
GPG key ID: F83424824B3E4B90
1 changed files with 11 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
src/file.rs
View file

@ -1,6 +1,7 @@
use crate::config::Config; use crate::config::Config;
use std::fs::File; use std::fs::File;
use std::io::{Result as IoResult, Write}; use std::io::{Result as IoResult, Write};
use std::path::PathBuf;
/// Writes the bytes to a file in upload directory. /// Writes the bytes to a file in upload directory.
/// ///
@ -10,10 +11,16 @@ use std::io::{Result as IoResult, Write};
/// ///
/// [`default_extension`]: crate::config::PasteConfig::default_extension /// [`default_extension`]: crate::config::PasteConfig::default_extension
/// [`random_url.enabled`]: crate::random::RandomURLConfig::enabled /// [`random_url.enabled`]: crate::random::RandomURLConfig::enabled
pub fn save(mut file_name: &str, bytes: &[u8], config: &Config) -> IoResult<String> { pub fn save(file_name: &str, bytes: &[u8], config: &Config) -> IoResult<String> {
if file_name == "-" { let file_name = match PathBuf::from(file_name)
file_name = "stdin"; .file_name()
} .map(|v| v.to_str())
.flatten()
{
Some("-") => String::from("stdin"),
Some(v) => v.to_string(),
None => String::from("file"),
};
let mut path = config.server.upload_path.join(file_name); let mut path = config.server.upload_path.join(file_name);
match path.clone().extension() { match path.clone().extension() {
Some(extension) => { Some(extension) => {