From ea3b09dea83fd372f471dd01b87ef36566773a84 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Tue, 26 Jan 2021 14:52:37 +0100
Subject: mod_http_file_share: Validate that filename does not contain '/'

---
 plugins/mod_http_file_share.lua | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'plugins')

diff --git a/plugins/mod_http_file_share.lua b/plugins/mod_http_file_share.lua
index 4c9dc9e9..89dda500 100644
--- a/plugins/mod_http_file_share.lua
+++ b/plugins/mod_http_file_share.lua
@@ -36,6 +36,7 @@ end
 
 local upload_errors = errors.init(module.name, namespace, {
 	access = { "auth"; "forbidden" };
+	filename = { "modify"; "bad-request", "Invalid filename" };
 });
 
 function may_upload(uploader, filename, filesize, filetype) -- > boolean, error
@@ -44,6 +45,11 @@ function may_upload(uploader, filename, filesize, filetype) -- > boolean, error
 		return false, upload_errors.new("access");
 	end
 
+	if not filename or filename:find"/" then
+		-- On Linux, only '/' and '\0' are invalid in filenames and NUL can't be in XML
+		return false, upload_errors.new("filename");
+	end
+
 	return true;
 end
 
-- 
cgit v1.2.3