From fbd730754b83dd9ae95d9b308e29ba7e85001528 Mon Sep 17 00:00:00 2001
From: Xavier Del Campo Romero <xavi.dcr@tutanota.com>
Date: Sun, 9 Jul 2023 04:16:31 +0200
Subject: [PATCH] http.c: Disallow forbidden filenames during upload

- '.' or '..' must not be used for filenames.
- Filenames must not contain forward slashes ('/').
- Filenames must not contain asterisks ('*') to avoid confusion with
wildcard expressions.
---
 http.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/http.c b/http.c
index bf0bfda..cb28ee5 100644
--- a/http.c
+++ b/http.c
@@ -1228,6 +1228,14 @@ static int cd_fields(struct http_ctx *const h, struct form *const f,
                 fprintf(stderr, "%s: strndup(3): %s\n", __func__, strerror(errno));
                 return -1;
             }
+            else if (!strcmp(f->filename, ".")
+                || !strcmp(f->filename, "..")
+                || strpbrk(f->filename, "/*"))
+            {
+                fprintf(stderr, "%s: invalid filename %s\n",
+                    __func__, f->filename);
+                return 1;
+            }
         }
     } while ((sep = strchr(sep, ';')));