Use Absolutize for files that do not exist
Canonicalize relies on the file existing to resolve the potential traversal, which won't work for file upload in case the file name has a traversal inside it.
This commit is contained in:
Cameron Cordes
19
Cargo.lock
generated
19
Cargo.lock
generated
@@ -1133,6 +1133,7 @@ dependencies = [
|
||||
"image",
|
||||
"jsonwebtoken",
|
||||
"notify",
|
||||
"path-absolutize",
|
||||
"rayon",
|
||||
"serde",
|
||||
"serde_json",
|
||||
@@ -1596,6 +1597,24 @@ dependencies = [
|
||||
"winapi 0.3.9",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "path-absolutize"
|
||||
version = "3.0.6"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "7a6ab2aaa5faefed84db46e4398eab15fa51325606462b5da8b0e230af3ac59a"
|
||||
dependencies = [
|
||||
"path-dedot",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "path-dedot"
|
||||
version = "3.0.7"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "658c6e985fce9c25289fe7c86c08a3cbe82c19a3cd5b3bc5945c8c632552e460"
|
||||
dependencies = [
|
||||
"once_cell",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "pem"
|
||||
version = "0.8.1"
|
||||
|
||||
Reference in New Issue
Block a user