http.c: Disallow forbidden filenames during upload

- '.' or '..' must not be used for filenames. - Filenames must not contain forward slashes ('/'). - Filenames must not contain asterisks ('*') to avoid confusion with wildcard expressions.
2023-07-09 04:16:31 +02:00 · 2023-07-09 04:16:31 +02:00 · fbd730754b
parent fa8217c511
commit fbd730754b
1 changed files with 8 additions and 0 deletions
--- a/http.c
+++ b/http.c
@ -1228,6 +1228,14 @@ static int cd_fields(struct http_ctx *const h, struct form *const f,
                fprintf(stderr, "%s: strndup(3): %s\n", __func__, strerror(errno));
                return -1;
            }
+            else if (!strcmp(f->filename, ".")
+                || !strcmp(f->filename, "..")
+                || strpbrk(f->filename, "/*"))
+            {
+                fprintf(stderr, "%s: invalid filename %s\n",
+                    __func__, f->filename);
+                return 1;
+            }
        }
    } while ((sep = strchr(sep, ';')));