Do not use _process_path() in do_POST()

The submitted request path is not a filesystem path, so it makes no
sense to process it like one.

* unquote it as UTF-8, not ASCII, since the user can submit unicode
  filenames
* perform basic sanitization on the URL returned to the user

1 files changed, 7 insertions, 3 deletions

diff --git a/fshare.py b/fshare.py
index 228f5e6..61d9dcd 100755
--- a/fshare.py
+++ b/fshare.py
@@ -399,7 +399,9 @@ class FShareRequestHandler(hs.BaseHTTPRequestHandler):
     def do_POST(self):
         self._log_request()
 
-        src_fname = os.path.basename(self._process_path(self.path))
+        src_fname = os.path.basename(urlparse.unquote(self.path))
+        if '/' in src_fname or src_fname in ('.', '..'):
+            src_fname = ''
 
         if 'Transfer-Encoding' in self.headers:
             if self.headers['Transfer-Encoding'] != 'chunked':
@@ -457,8 +459,10 @@ class FShareRequestHandler(hs.BaseHTTPRequestHandler):
             self._logger.info('%s->%s', dst_fname, path)
             path += os.path.splitext(src_fname)[1]
         else:
-            # private srever: resulting URL is the secret HMAC + original basename
-            path  = dst_fname + '/' + src_fname
+            # private server: resulting URL is the secret HMAC + original basename
+            path = dst_fname
+            if src_fname:
+                path += '/' + src_fname
 
         path  = urlparse.quote(path)
         reply = ('https://%s/%s' % (host, path)).encode('ascii')