sanitize allowed upload paths for cases like ./dir

author: Jonas Diemer <jonasdiemer@gmail.com> 2022-08-17 08:28:11 +0000
committer: Jonas Diemer <jonasdiemer@gmail.com> 2022-09-18 18:25:37 +0000
commit: 5404e4fcb513bd8bf355e730aa37546b16164cad (patch)
tree: 8b0e0d4a0b23cf598d84423cabc1d6bca38345ec /src/config.rs
parent: Use argument -u instead of --allowed-upload-dir (diff)
download: miniserve-5404e4fcb513bd8bf355e730aa37546b16164cad.tar.gz
miniserve-5404e4fcb513bd8bf355e730aa37546b16164cad.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/src/config.rs b/src/config.rs
index 4f794d1..1331e7d 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -16,6 +16,7 @@ use rustls_pemfile as pemfile;
 use crate::{
     args::{CliArgs, MediaType},
     auth::RequiredAuth,
+    file_upload::sanitize_path
 };
 
 /// Possible characters for random routes
@@ -251,7 +252,7 @@ impl MiniserveConfig {
             show_qrcode: args.qrcode,
             mkdir_enabled: args.mkdir_enabled,
             file_upload: !args.allowed_upload_dir.is_none(),
-            allowed_upload_dir: args.allowed_upload_dir.unwrap_or(vec![]),
+            allowed_upload_dir: args.allowed_upload_dir.unwrap_or(vec![]).iter().map(|x| sanitize_path(x, false).unwrap()).collect(),
             uploadable_media_type,
             tar_enabled: args.enable_tar,
             tar_gz_enabled: args.enable_tar_gz,
author	Jonas Diemer <jonasdiemer@gmail.com>	2022-08-17 08:28:11 +0000
committer	Jonas Diemer <jonasdiemer@gmail.com>	2022-09-18 18:25:37 +0000
commit	5404e4fcb513bd8bf355e730aa37546b16164cad (patch)
tree	8b0e0d4a0b23cf598d84423cabc1d6bca38345ec /src/config.rs
parent	Use argument -u instead of --allowed-upload-dir (diff)
download	miniserve-5404e4fcb513bd8bf355e730aa37546b16164cad.tar.gz miniserve-5404e4fcb513bd8bf355e730aa37546b16164cad.zip