http.c: Disallow forbidden filenames during upload

- '.' or '..' must not be used for filenames. - Filenames must not contain forward slashes ('/'). - Filenames must not contain asterisks ('*') to avoid confusion with wildcard expressions.
author: Xavier Del Campo Romero <xavi.dcr@tutanota.com> 2023-07-09 04:16:31 +0200
committer: Xavier Del Campo Romero <xavi.dcr@tutanota.com> 2023-07-09 05:41:43 +0200
commit: fbd730754b83dd9ae95d9b308e29ba7e85001528 (patch)
tree: 58c2a1cb260db3f252f517530baf4f159b8ea7ef
parent: fa8217c511a0ff732be1c02921e105597ced7850 (diff)
download: slcl-fbd730754b83dd9ae95d9b308e29ba7e85001528.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/http.c b/http.c
index bf0bfda..cb28ee5 100644
--- a/http.c
+++ b/http.c
@@ -1228,6 +1228,14 @@ static int cd_fields(struct http_ctx *const h, struct form *const f,
                 fprintf(stderr, "%s: strndup(3): %s\n", __func__, strerror(errno));
                 return -1;
             }
+            else if (!strcmp(f->filename, ".")
+                || !strcmp(f->filename, "..")
+                || strpbrk(f->filename, "/*"))
+            {
+                fprintf(stderr, "%s: invalid filename %s\n",
+                    __func__, f->filename);
+                return 1;
+            }
         }
     } while ((sep = strchr(sep, ';')));
author	Xavier Del Campo Romero <xavi.dcr@tutanota.com>	2023-07-09 04:16:31 +0200
committer	Xavier Del Campo Romero <xavi.dcr@tutanota.com>	2023-07-09 05:41:43 +0200
commit	fbd730754b83dd9ae95d9b308e29ba7e85001528 (patch)
tree	58c2a1cb260db3f252f517530baf4f159b8ea7ef
parent	fa8217c511a0ff732be1c02921e105597ced7850 (diff)
download	slcl-fbd730754b83dd9ae95d9b308e29ba7e85001528.tar.gz