From 4e4ca0f38ed74270bbcd2770f425bca68c49eeb4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Roth?= <neolynx@gmail.com>
Date: Thu, 4 Jun 2026 16:10:50 +0000
Subject: [PATCH] fix(dput): validate :file path param to prevent directory
 traversal

---
 api/files.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/api/files.go b/api/files.go
index 9c62ac9e..32e9c491 100644
--- a/api/files.go
+++ b/api/files.go
@@ -208,6 +208,12 @@ func apiFilesUploadOne(c *gin.Context) {
 		return
 	}
 
+	fileName := c.Params.ByName("file")
+	if !verifyPath(fileName) {
+		AbortWithJSONError(c, 400, fmt.Errorf("wrong file"))
+		return
+	}
+
 	path := filepath.Join(context.UploadPath(), utils.SanitizePath(c.Params.ByName("dir")))
 	err := os.MkdirAll(path, 0777)
 
@@ -217,7 +223,7 @@ func apiFilesUploadOne(c *gin.Context) {
 	}
 	stored := []string{}
 
-	destPath := filepath.Join(path, c.Params.ByName("file"))
+	destPath := filepath.Join(path, fileName)
 	dst, err := os.Create(destPath)
 	if err != nil {
 		AbortWithJSONError(c, 500, err)