From d4e65382822a44c40946e08af4af82f322b6e464 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Thu, 30 Mar 2023 17:15:40 +0200
Subject: Do not use _process_path() in do_POST()

The submitted request path is not a filesystem path, so it makes no
sense to process it like one.

* unquote it as UTF-8, not ASCII, since the user can submit unicode
  filenames
* perform basic sanitization on the URL returned to the user
---
 fshare.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/fshare.py b/fshare.py
index 228f5e6..61d9dcd 100755
--- a/fshare.py
+++ b/fshare.py
@@ -399,7 +399,9 @@ class FShareRequestHandler(hs.BaseHTTPRequestHandler):
     def do_POST(self):
         self._log_request()
 
-        src_fname = os.path.basename(self._process_path(self.path))
+        src_fname = os.path.basename(urlparse.unquote(self.path))
+        if '/' in src_fname or src_fname in ('.', '..'):
+            src_fname = ''
 
         if 'Transfer-Encoding' in self.headers:
             if self.headers['Transfer-Encoding'] != 'chunked':
@@ -457,8 +459,10 @@ class FShareRequestHandler(hs.BaseHTTPRequestHandler):
             self._logger.info('%s->%s', dst_fname, path)
             path += os.path.splitext(src_fname)[1]
         else:
-            # private srever: resulting URL is the secret HMAC + original basename
-            path  = dst_fname + '/' + src_fname
+            # private server: resulting URL is the secret HMAC + original basename
+            path = dst_fname
+            if src_fname:
+                path += '/' + src_fname
 
         path  = urlparse.quote(path)
         reply = ('https://%s/%s' % (host, path)).encode('ascii')
-- 
cgit v1.2.3