From 2662c59fcffe1b62e019b08d1e22c1cd5c741066 Mon Sep 17 00:00:00 2001
From: Jonas Diemer <jonasdiemer@gmail.com>
Date: Tue, 2 Aug 2022 15:02:09 +0200
Subject: Added option restrict-upload-dir

---
 src/file_upload.rs | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'src/file_upload.rs')

diff --git a/src/file_upload.rs b/src/file_upload.rs
index 6643c68..747d0de 100644
--- a/src/file_upload.rs
+++ b/src/file_upload.rs
@@ -171,6 +171,19 @@ pub async fn upload_file(
         ContextualError::IoError("Failed to resolve path served by miniserve".to_string(), e)
     })?;
 
+
+    // Disallow paths outside of restricted directories
+    // TODO: Probably not the most rust-ic style...
+    if !conf.restrict_upload_dir.is_empty() {
+        let upl_path = upload_path.clone().into_os_string().into_string().unwrap();
+
+        if !(conf.restrict_upload_dir.contains(&upl_path)){
+            // not good
+            return Err(ContextualError::InvalidPathError("Not allowed to upload to this path".to_string()));
+        }
+    }
+
+
     // Disallow the target path to go outside of the served directory
     // The target directory shouldn't be canonicalized when it gets passed to
     // handle_multipart so that it can check for symlinks if needed
-- 
cgit v1.2.3