http.c: Disallow forbidden filenames during upload

- '.' or '..' must not be used for filenames. - Filenames must not contain forward slashes ('/'). - Filenames must not contain asterisks ('*') to avoid confusion with wildcard expressions.
author: Xavier Del Campo Romero <xavi.dcr@tutanota.com> 2023-07-09 04:16:31 +0200
committer: Xavier Del Campo Romero <xavi.dcr@tutanota.com> 2023-07-20 23:52:56 +0200
commit: e0f43ac4105997f479071e430971ca51b4492ed2 (patch)
tree: fb8b1f6f6ef9e912cf708f088c4be7bf53b9dfdf /http.c
parent: f136fdd463ac25a86e1870417e90da3a2db71ed7 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/http.c b/http.c
index bf0bfda..cb28ee5 100644
--- a/http.c
+++ b/http.c
@@ -1228,6 +1228,14 @@ static int cd_fields(struct http_ctx *const h, struct form *const f,
                 fprintf(stderr, "%s: strndup(3): %s\n", __func__, strerror(errno));
                 return -1;
             }
+            else if (!strcmp(f->filename, ".")
+                || !strcmp(f->filename, "..")
+                || strpbrk(f->filename, "/*"))
+            {
+                fprintf(stderr, "%s: invalid filename %s\n",
+                    __func__, f->filename);
+                return 1;
+            }
         }
     } while ((sep = strchr(sep, ';')));
author	Xavier Del Campo Romero <xavi.dcr@tutanota.com>	2023-07-09 04:16:31 +0200
committer	Xavier Del Campo Romero <xavi.dcr@tutanota.com>	2023-07-20 23:52:56 +0200
commit	e0f43ac4105997f479071e430971ca51b4492ed2 (patch)
tree	fb8b1f6f6ef9e912cf708f088c4be7bf53b9dfdf /http.c
parent	f136fdd463ac25a86e1870417e90da3a2db71ed7 (diff)