1 files changed, 17 insertions, 13 deletions

diff --git a/src/config.rs b/src/config.rs
index 1b5e07f..8a8a876 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -16,7 +16,7 @@ use rustls_pemfile as pemfile;
 use crate::{
     args::{parse_auth, CliArgs, MediaType},
     auth::RequiredAuth,
-    file_upload::sanitize_path,
+    file_utils::sanitize_path,
     renderer::ThemeSlug,
 };
 
@@ -252,6 +252,21 @@ impl MiniserveConfig {
             })
         });
 
+        let allowed_upload_dir = args
+            .allowed_upload_dir
+            .as_ref()
+            .map(|v| {
+                v.iter()
+                    .map(|p| {
+                        sanitize_path(p, false)
+                            .map(|p| p.display().to_string().replace('\\', "/"))
+                            .ok_or(anyhow!("Illegal path {p:?}: upward traversal not allowed"))
+                    })
+                    .collect()
+            })
+            .transpose()?
+            .unwrap_or_default();
+
         Ok(MiniserveConfig {
             verbose: args.verbose,
             path: args.path.unwrap_or_else(|| PathBuf::from(".")),
@@ -273,18 +288,7 @@ impl MiniserveConfig {
             show_qrcode: args.qrcode,
             mkdir_enabled: args.mkdir_enabled,
             file_upload: args.allowed_upload_dir.is_some(),
-            allowed_upload_dir: args
-                .allowed_upload_dir
-                .unwrap_or_default()
-                .iter()
-                .map(|x| {
-                    sanitize_path(x, false)
-                        .unwrap()
-                        .to_str()
-                        .unwrap()
-                        .replace('\\', "/")
-                })
-                .collect(),
+            allowed_upload_dir,
             uploadable_media_type,
             tar_enabled: args.enable_tar,
             tar_gz_enabled: args.enable_tar_gz,