Update README

2026-04-11 19:28:30 +00:00 · 2026-03-01 17:34:03 -05:00
parent ae64a5ee90
commit 63ede29db1
1 changed files with 10 additions and 1 deletions
--- a/README.md
+++ b/README.md
@@ -537,8 +537,17 @@ svr.Post("/multipart", [&](const Request& req, Response& res) {
      std::cout << "Header: " << header.first << " = " << header.second << std::endl;
    }

+    // IMPORTANT: file.filename is an untrusted value from the client.
+    // Always extract only the basename to prevent path traversal attacks.
+    auto safe_name = std::filesystem::path(file.filename).filename();
+    if (safe_name.empty() || safe_name == "." || safe_name == "..") {
+      res.status = StatusCode::BadRequest_400;
+      res.set_content("Invalid filename", "text/plain");
+      return;
+    }
+
    // Save to disk
-    std::ofstream ofs(file.filename, std::ios::binary);
+    std::ofstream ofs(upload_dir / safe_name, std::ios::binary);
    ofs << file.content;
  }