Prevent directory traversal attacks

beavailable · Oct 19, 2022 · d21b970 · d21b970
1 parent 072f1b1
commit d21b970
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/share.py b/share.py
@@ -129,7 +129,7 @@ def handle_multipart(self, save_dir, redirect_location):
                 if not filename:
                     self.respond_bad_request()
                     return
-                with open(f'{save_dir}/{filename}', 'wb') as f:
+                with open(f'{save_dir}/{os.path.basename(filename)}', 'wb') as f:
                     parser.write_next_to(f)
         except MultipartError:
             self.respond_bad_request()