forked from open-webui/open-webui
Suggested mitigation for KL-CAN-2024-002.
This commit is contained in:
parent
edeff20e1d
commit
6c96361402
1 changed files with 18 additions and 1 deletions
|
@ -448,8 +448,25 @@ def store_doc(
|
||||||
|
|
||||||
log.info(f"file.content_type: {file.content_type}")
|
log.info(f"file.content_type: {file.content_type}")
|
||||||
try:
|
try:
|
||||||
|
is_valid_filename = True
|
||||||
|
unsanitized_filename = file.filename
|
||||||
|
if not unsanitized_filename.isascii():
|
||||||
|
is_valid_filename = False
|
||||||
|
|
||||||
|
unvalidated_file_path = f"{UPLOAD_DIR}/{unsanitized_filename}"
|
||||||
|
dereferenced_file_path = str(Path(unvalidated_file_path).resolve(strict=False))
|
||||||
|
if not dereferenced_file_path.startswith(UPLOAD_DIR):
|
||||||
|
is_valid_filename = False
|
||||||
|
|
||||||
|
if is_valid_filename:
|
||||||
|
file_path = dereferenced_file_path
|
||||||
|
else:
|
||||||
|
raise HTTPException(
|
||||||
|
status_code=status.HTTP_400_BAD_REQUEST,
|
||||||
|
detail=ERROR_MESSAGES.DEFAULT(),
|
||||||
|
)
|
||||||
|
|
||||||
filename = file.filename
|
filename = file.filename
|
||||||
file_path = f"{UPLOAD_DIR}/{filename}"
|
|
||||||
contents = file.file.read()
|
contents = file.file.read()
|
||||||
with open(file_path, "wb") as f:
|
with open(file_path, "wb") as f:
|
||||||
f.write(contents)
|
f.write(contents)
|
||||||
|
|
Loading…
Reference in a new issue