Skip to content

Commit

Permalink
fix: security fixes
Browse files Browse the repository at this point in the history 
Insecure filename was being used
  • Loading branch information
@amunchet
amunchet committed Sep 16, 2023
1 parent 0cfb483 commit 08b5cc1
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions backend/serve.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,9 +145,10 @@ def upload(file_type, override_token): # pragma: no cover
file = request.files["file"]
else:
data = request.form["file"]
filename = secure_filename(request.form["filename"])
filename = request.form["filename"]

file_type = secure_filename(file_type)
filename = secure_filename(filename)

if file != "" and file.filename == "":
return "No file selected", 409
Expand Down Expand Up @@ -197,7 +198,7 @@ def upload(file_type, override_token): # pragma: no cover
# Chmod
chmod_filename = "/src/uploads/{}/{}".format(file_type, filename)
os.chmod(chmod_filename, 0o600)
return file.filename, 200
return filename, 200


@app.route("/uploads/<file_type>", methods=["GET"])
Expand Down

0 comments on commit 08b5cc1

Please sign in to comment.