From 42ff89d741ed8fda577b27571cfd5c138db5f419 Mon Sep 17 00:00:00 2001 From: yggverse Date: Thu, 19 Mar 2026 20:55:57 +0200 Subject: [PATCH] apply traversal filter to `path_source` only, warn instead of panic --- src/main.rs | 40 ++++++++++++++++++++++------------------ 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/src/main.rs b/src/main.rs index 4fe299e..c5fcdcf 100644 --- a/src/main.rs +++ b/src/main.rs @@ -193,30 +193,34 @@ fn main() -> Result<()> { let path_source = { let mut p = PathBuf::from(&config.upload); p.push(upload); - p.canonicalize()? + match p.canonicalize() { + Ok(canonical) => { + if canonical.starts_with(&config.upload) { + canonical + } else { + warn!( + "Possible traversal request: `{}` (post #{}, user #{})", + canonical.to_string_lossy(), + post.id, + post.user_id + ); + continue; + } + } + Err(e) => { + error!("{e}: `{}` (post #{})", p.to_string_lossy(), post.id); + continue; + } + } }; let path_target = { let mut p = PathBuf::from(&config.target); p.push(upload); - p.canonicalize()? + p }; - - // prevent traversal request - assert!(path_source.starts_with(&config.upload)); - assert!(path_target.starts_with(&config.target)); - - let path_parent = path_target.parent().unwrap(); - - create_dir_all(path_parent)?; if !path_target.exists() { - if path_source.exists() { - copy(path_source, path_target)?; - } else { - warn!( - "Source file does not exist: `{}`", - path_source.to_string_lossy() - ) - } + create_dir_all(path_target.parent().unwrap())?; + copy(path_source, path_target)?; } } content.push("---\n".into())