diff options
author | Anton Khirnov <anton@khirnov.net> | 2023-03-30 17:15:40 +0200 |
---|---|---|
committer | Anton Khirnov <anton@khirnov.net> | 2023-03-30 17:19:11 +0200 |
commit | d4e65382822a44c40946e08af4af82f322b6e464 (patch) | |
tree | 17fd436169ae258c670e1228775e1a99e0119a43 /fshare.py | |
parent | 6e5ad0c6739864adb8643aa93d9d42d44469ea15 (diff) |
Do not use _process_path() in do_POST()
The submitted request path is not a filesystem path, so it makes no
sense to process it like one.
* unquote it as UTF-8, not ASCII, since the user can submit unicode
filenames
* perform basic sanitization on the URL returned to the user
Diffstat (limited to 'fshare.py')
-rwxr-xr-x | fshare.py | 10 |
1 files changed, 7 insertions, 3 deletions
@@ -399,7 +399,9 @@ class FShareRequestHandler(hs.BaseHTTPRequestHandler): def do_POST(self): self._log_request() - src_fname = os.path.basename(self._process_path(self.path)) + src_fname = os.path.basename(urlparse.unquote(self.path)) + if '/' in src_fname or src_fname in ('.', '..'): + src_fname = '' if 'Transfer-Encoding' in self.headers: if self.headers['Transfer-Encoding'] != 'chunked': @@ -457,8 +459,10 @@ class FShareRequestHandler(hs.BaseHTTPRequestHandler): self._logger.info('%s->%s', dst_fname, path) path += os.path.splitext(src_fname)[1] else: - # private srever: resulting URL is the secret HMAC + original basename - path = dst_fname + '/' + src_fname + # private server: resulting URL is the secret HMAC + original basename + path = dst_fname + if src_fname: + path += '/' + src_fname path = urlparse.quote(path) reply = ('https://%s/%s' % (host, path)).encode('ascii') |