diff options
| author | Jonas Diemer <jonasdiemer@gmail.com> | 2022-08-17 08:28:46 +0000 |
|---|---|---|
| committer | Jonas Diemer <jonasdiemer@gmail.com> | 2022-09-18 18:26:54 +0000 |
| commit | d905b68ca93c42769c3ebddf472a2916dc75b012 (patch) | |
| tree | b4a40b65cdc57a345afdf8c11f935b4af732fe00 /src/file_upload.rs | |
| parent | sanitize allowed upload paths for cases like ./dir (diff) | |
| download | miniserve-d905b68ca93c42769c3ebddf472a2916dc75b012.tar.gz miniserve-d905b68ca93c42769c3ebddf472a2916dc75b012.zip | |
cargo fmt
Diffstat (limited to 'src/file_upload.rs')
| -rw-r--r-- | src/file_upload.rs | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/src/file_upload.rs b/src/file_upload.rs index 4d4f225..0232c7e 100644 --- a/src/file_upload.rs +++ b/src/file_upload.rs @@ -171,17 +171,19 @@ pub async fn upload_file( ContextualError::IoError("Failed to resolve path served by miniserve".to_string(), e) })?; - // Disallow paths outside of allowed directories - let upload_allowed = conf.allowed_upload_dir.is_empty() || - conf.allowed_upload_dir.iter().any(|s| upload_path.starts_with(s)); + let upload_allowed = conf.allowed_upload_dir.is_empty() + || conf + .allowed_upload_dir + .iter() + .any(|s| upload_path.starts_with(s)); if !upload_allowed { - return Err(ContextualError::InvalidPathError("Not allowed to upload to this path".to_string())); + return Err(ContextualError::InvalidPathError( + "Not allowed to upload to this path".to_string(), + )); } - - // Disallow the target path to go outside of the served directory // The target directory shouldn't be canonicalized when it gets passed to // handle_multipart so that it can check for symlinks if needed |