ded/cpp-httplib
1
0
Fork 0
mirror of https://github.com/yhirose/cpp-httplib.git synced 2026-04-11 19:28:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add filename sanitization function and tests to prevent path traversal vulnerabilities

Browse Source
This commit is contained in:
yhirose
2026-03-13 00:29:13 -04:00
parent 4d7c9a788d
commit 83e98a28dd
3 changed files with 59 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
README.md
View File

@@ -541,16 +541,16 @@ svr.Post("/multipart", [&](const Request& req, Response& res) {
}
// IMPORTANT: file.filename is an untrusted value from the client.
// Always extract only the basename to prevent path traversal attacks.
auto safe_name = std::filesystem::path(file.filename).filename();
if (safe_name.empty() || safe_name == "." || safe_name == "..") {
// Always sanitize to prevent path traversal attacks.
auto safe_name = httplib::sanitize_filename(file.filename);
if (safe_name.empty()) {
res.status = StatusCode::BadRequest_400;
res.set_content("Invalid filename", "text/plain");
return;
}
// Save to disk
std::ofstream ofs(upload_dir / safe_name, std::ios::binary);
std::ofstream ofs(upload_dir + "/" + safe_name, std::ios::binary);
ofs << file.content;
}
@@ -586,6 +586,16 @@ svr.Post("/multipart", [&](const Request& req, Response& res) {
});
```
#### Filename Sanitization
`file.filename` in multipart uploads is an untrusted value from the client. Always sanitize before using it in file paths:
```cpp
auto safe = httplib::sanitize_filename(file.filename);
```
This function strips path separators (`/`, `\`), null bytes, leading/trailing whitespace, and rejects `.` and `..`. Returns an empty string if the filename is unsafe.
### Receive content with a content receiver
```cpp