sanitize filename

2025-07-17 21:44:35 +00:00 · 2025-06-20 18:23:03 +02:00
parent d8cf89619f
commit 11dc57ea01
1 changed files with 37 additions and 0 deletions
--- a/server/protocol.go
+++ b/server/protocol.go
@ -8,6 +8,8 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"strings"
+	"unicode"

 	"github.com/coalaura/up/internal"
 	"github.com/patrickmn/go-cache"
@ -230,6 +232,16 @@ func HandleReceiveRequest(w http.ResponseWriter, r *http.Request) {
 	}

 	name := filepath.Base(part.FileName())
+	name = SanitizeFilename(name)
+
+	if name == "" {
+		w.WriteHeader(http.StatusBadRequest)
+
+		log.Warning("receive: invalid or missing filename")
+		log.WarningE(err)
+
+		return
+	}

 	if _, err := os.Stat("files"); os.IsNotExist(err) {
 		os.Mkdir("files", 0700)
@ -277,3 +289,28 @@ func DecodeAndAuthorizePublicKey(public string, authorized map[string]ssh.Public

 	return key, nil
 }
+
+func SanitizeFilename(name string) string {
+	if name == "" {
+		return ""
+	}
+
+	var (
+		bad     bool
+		cleaned strings.Builder
+	)
+
+	for _, r := range name {
+		if r >= 32 && r != 127 && !unicode.IsControl(r) {
+			cleaned.WriteRune(r)
+
+			bad = false
+		} else if !bad {
+			cleaned.WriteRune('_')
+
+			bad = true
+		}
+	}
+
+	return cleaned.String()
+}