diff options
| author | Sven-Hendrik Haase <svenstaro@gmail.com> | 2024-01-28 04:11:29 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-28 04:11:29 +0000 |
| commit | b472f20a3c250b647e81403edb1dac5af47daca8 (patch) | |
| tree | e1afb1141376b58839e03f3b45bad8e672c0d7b3 | |
| parent | Bump deps (diff) | |
| parent | Fix inaccurate uses of `sanitize_path` (diff) | |
| download | miniserve-b472f20a3c250b647e81403edb1dac5af47daca8.tar.gz miniserve-b472f20a3c250b647e81403edb1dac5af47daca8.zip | |
Merge pull request #1327 from cyqsimon/sanitize_path_usage
Fix inaccurate uses of `sanitize_path`
| -rw-r--r-- | src/config.rs | 4 | ||||
| -rw-r--r-- | src/file_op.rs | 7 |
2 files changed, 6 insertions, 5 deletions
diff --git a/src/config.rs b/src/config.rs index 6e4a1eb..43414b2 100644 --- a/src/config.rs +++ b/src/config.rs @@ -266,9 +266,9 @@ impl MiniserveConfig { .map(|v| { v.iter() .map(|p| { - sanitize_path(p, false) + sanitize_path(p, args.hidden) .map(|p| p.display().to_string().replace('\\', "/")) - .ok_or(anyhow!("Illegal path {p:?}: upward traversal not allowed")) + .ok_or(anyhow!("Illegal path {p:?}")) }) .collect() }) diff --git a/src/file_op.rs b/src/file_op.rs index 760b23e..35e56fa 100644 --- a/src/file_op.rs +++ b/src/file_op.rs @@ -152,9 +152,10 @@ async fn handle_multipart( ) })?; - let filename_path = sanitize_path(Path::new(&filename), false).ok_or_else(|| { - ContextualError::InvalidPathError("Invalid file name to upload".to_string()) - })?; + let filename_path = + sanitize_path(Path::new(&filename), allow_hidden_paths).ok_or_else(|| { + ContextualError::InvalidPathError("Invalid file name to upload".to_string()) + })?; // Ensure there are no illegal symlinks in the file upload path if !allow_symlinks { |