From 08b5cc14cfe599addda658bf2a77a1fadfd90e3b Mon Sep 17 00:00:00 2001
From: Chester Enright <amunchet@gmail.com>
Date: Sat, 16 Sep 2023 17:09:12 -0500
Subject: [PATCH] fix: security fixes Insecure filename was being used

---
 backend/serve.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/backend/serve.py b/backend/serve.py
index 0ba09f2..4128891 100755
--- a/backend/serve.py
+++ b/backend/serve.py
@@ -145,9 +145,10 @@ def upload(file_type, override_token):  # pragma: no cover
         file = request.files["file"]
     else:
         data = request.form["file"]
-        filename = secure_filename(request.form["filename"])
+        filename = request.form["filename"]
 
     file_type = secure_filename(file_type)
+    filename = secure_filename(filename)
 
     if file != "" and file.filename == "":
         return "No file selected", 409
@@ -197,7 +198,7 @@ def upload(file_type, override_token):  # pragma: no cover
     # Chmod
     chmod_filename = "/src/uploads/{}/{}".format(file_type, filename)
     os.chmod(chmod_filename, 0o600)
-    return file.filename, 200
+    return filename, 200
 
 
 @app.route("/uploads/<file_type>", methods=["GET"])