From 5404e4fcb513bd8bf355e730aa37546b16164cad Mon Sep 17 00:00:00 2001
From: Jonas Diemer <jonasdiemer@gmail.com>
Date: Wed, 17 Aug 2022 10:28:11 +0200
Subject: sanitize allowed upload paths for cases like ./dir

---
 src/config.rs      | 3 ++-
 src/file_upload.rs | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/config.rs b/src/config.rs
index 4f794d1..1331e7d 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -16,6 +16,7 @@ use rustls_pemfile as pemfile;
 use crate::{
     args::{CliArgs, MediaType},
     auth::RequiredAuth,
+    file_upload::sanitize_path
 };
 
 /// Possible characters for random routes
@@ -251,7 +252,7 @@ impl MiniserveConfig {
             show_qrcode: args.qrcode,
             mkdir_enabled: args.mkdir_enabled,
             file_upload: !args.allowed_upload_dir.is_none(),
-            allowed_upload_dir: args.allowed_upload_dir.unwrap_or(vec![]),
+            allowed_upload_dir: args.allowed_upload_dir.unwrap_or(vec![]).iter().map(|x| sanitize_path(x, false).unwrap()).collect(),
             uploadable_media_type,
             tar_enabled: args.enable_tar,
             tar_gz_enabled: args.enable_tar_gz,
diff --git a/src/file_upload.rs b/src/file_upload.rs
index c6e7ac6..4d4f225 100644
--- a/src/file_upload.rs
+++ b/src/file_upload.rs
@@ -218,7 +218,7 @@ pub async fn upload_file(
 /// and optionally prevent traversing hidden directories.
 ///
 /// See the unit tests tests::test_sanitize_path* for examples
-fn sanitize_path(path: &Path, traverse_hidden: bool) -> Option<PathBuf> {
+pub fn sanitize_path(path: &Path, traverse_hidden: bool) -> Option<PathBuf> {
     let mut buf = PathBuf::new();
 
     for comp in path.components() {
-- 
cgit v1.2.3