YGGverse/flarumdown
1
0
Fork 0
mirror of https://github.com/YGGverse/flarumdown.git synced 2026-03-31 08:45:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

prevent traversal request

Browse source
This commit is contained in:
yggverse 2026-03-19 20:26:54 +02:00
parent b141bdcf8c
commit 694110583f
1 changed files with 7 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/main.rs
View file

@ -193,13 +193,18 @@ fn main() -> Result<()> {
let path_source = { let path_source = {
let mut p = PathBuf::from(&config.upload); let mut p = PathBuf::from(&config.upload);
p.push(upload); p.push(upload);
p p.canonicalize()?
}; };
let path_target = { let path_target = {
let mut p = PathBuf::from(&config.target); let mut p = PathBuf::from(&config.target);
p.push(upload); p.push(upload);
p p.canonicalize()?
}; };
// prevent traversal request
assert!(path_source.starts_with(&config.upload));
assert!(path_target.starts_with(&config.target));
let path_parent = path_target.parent().unwrap(); let path_parent = path_target.parent().unwrap();
create_dir_all(path_parent)?; create_dir_all(path_parent)?;