diff options
| author | cyqsimon <28627918+cyqsimon@users.noreply.github.com> | 2024-01-26 05:13:21 +0000 |
|---|---|---|
| committer | cyqsimon <28627918+cyqsimon@users.noreply.github.com> | 2024-01-26 05:13:21 +0000 |
| commit | 2fe13fbddb403469dc3260b2ff6c84ec5fc153c7 (patch) | |
| tree | e1afb1141376b58839e03f3b45bad8e672c0d7b3 | |
| parent | Bump deps (diff) | |
| download | miniserve-2fe13fbddb403469dc3260b2ff6c84ec5fc153c7.tar.gz miniserve-2fe13fbddb403469dc3260b2ff6c84ec5fc153c7.zip | |
Fix inaccurate uses of `sanitize_path`
Diffstat (limited to '')
| -rw-r--r-- | src/config.rs | 4 | ||||
| -rw-r--r-- | src/file_op.rs | 7 |
2 files changed, 6 insertions, 5 deletions
diff --git a/src/config.rs b/src/config.rs index 6e4a1eb..43414b2 100644 --- a/src/config.rs +++ b/src/config.rs @@ -266,9 +266,9 @@ impl MiniserveConfig { .map(|v| { v.iter() .map(|p| { - sanitize_path(p, false) + sanitize_path(p, args.hidden) .map(|p| p.display().to_string().replace('\\', "/")) - .ok_or(anyhow!("Illegal path {p:?}: upward traversal not allowed")) + .ok_or(anyhow!("Illegal path {p:?}")) }) .collect() }) diff --git a/src/file_op.rs b/src/file_op.rs index 760b23e..35e56fa 100644 --- a/src/file_op.rs +++ b/src/file_op.rs @@ -152,9 +152,10 @@ async fn handle_multipart( ) })?; - let filename_path = sanitize_path(Path::new(&filename), false).ok_or_else(|| { - ContextualError::InvalidPathError("Invalid file name to upload".to_string()) - })?; + let filename_path = + sanitize_path(Path::new(&filename), allow_hidden_paths).ok_or_else(|| { + ContextualError::InvalidPathError("Invalid file name to upload".to_string()) + })?; // Ensure there are no illegal symlinks in the file upload path if !allow_symlinks { |