diff options
Diffstat (limited to 'src/file_upload.rs')
| -rw-r--r-- | src/file_upload.rs | 16 |
1 files changed, 5 insertions, 11 deletions
diff --git a/src/file_upload.rs b/src/file_upload.rs index 56112f3..e5f6173 100644 --- a/src/file_upload.rs +++ b/src/file_upload.rs @@ -174,21 +174,15 @@ pub async fn upload_file( // Disallow paths outside of restricted directories // TODO: Probably not the most rust-ic style... - if !conf.restrict_upload_dir.is_empty() { - let mut upload_allowed = false; - for restricted_dir in conf.restrict_upload_dir.iter() { - if upload_path.starts_with(restricted_dir) { - upload_allowed = true; - break; - } - } + let upload_allowed = conf.restrict_upload_dir.is_empty() || + conf.restrict_upload_dir.iter().any(|s| upload_path.starts_with(s)); - if !upload_allowed { - return Err(ContextualError::InvalidPathError("Not allowed to upload to this path".to_string())); - } + if !(upload_allowed) { + return Err(ContextualError::InvalidPathError("Not allowed to upload to this path".to_string())); } + // Disallow the target path to go outside of the served directory // The target directory shouldn't be canonicalized when it gets passed to // handle_multipart so that it can check for symlinks if needed |