From 11dc57ea01eaad86c972e51a3ebf269e49f4ab2e Mon Sep 17 00:00:00 2001
From: Laura <milanbartky@gmail.com>
Date: Fri, 20 Jun 2025 18:23:03 +0200
Subject: [PATCH] sanitize filename

---
 server/protocol.go | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/server/protocol.go b/server/protocol.go
index 9194796..8756421 100644
--- a/server/protocol.go
+++ b/server/protocol.go
@@ -8,6 +8,8 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"strings"
+	"unicode"
 
 	"github.com/coalaura/up/internal"
 	"github.com/patrickmn/go-cache"
@@ -230,6 +232,16 @@ func HandleReceiveRequest(w http.ResponseWriter, r *http.Request) {
 	}
 
 	name := filepath.Base(part.FileName())
+	name = SanitizeFilename(name)
+
+	if name == "" {
+		w.WriteHeader(http.StatusBadRequest)
+
+		log.Warning("receive: invalid or missing filename")
+		log.WarningE(err)
+
+		return
+	}
 
 	if _, err := os.Stat("files"); os.IsNotExist(err) {
 		os.Mkdir("files", 0700)
@@ -277,3 +289,28 @@ func DecodeAndAuthorizePublicKey(public string, authorized map[string]ssh.Public
 
 	return key, nil
 }
+
+func SanitizeFilename(name string) string {
+	if name == "" {
+		return ""
+	}
+
+	var (
+		bad     bool
+		cleaned strings.Builder
+	)
+
+	for _, r := range name {
+		if r >= 32 && r != 127 && !unicode.IsControl(r) {
+			cleaned.WriteRune(r)
+
+			bad = false
+		} else if !bad {
+			cleaned.WriteRune('_')
+
+			bad = true
+		}
+	}
+
+	return cleaned.String()
+}