Merge pull request #1396 from open-webui/main

dev

Merge pull request #1396 from open-webui/main
dev
f340178b · Timothy Jaeryang Baek · GitHub · aa6c8b1b · 5558514f · f340178b
Unverified Commit f340178b authored Apr 02, 2024 by Timothy Jaeryang Baek Committed by GitHub Apr 02, 2024
Show whitespace changes
Inline Side-by-side

Showing with 18 additions and 1 deletion

backend/apps/rag/main.py backend/apps/rag/main.py +18 -1

No files found.
--- a/backend/apps/rag/main.py
+++ b/backend/apps/rag/main.py
@@ -448,8 +448,25 @@ def store_doc(
    log.info(f"file.content_type: {file.content_type}")
    try:
+        is_valid_filename = True
+        unsanitized_filename = file.filename
+        if not unsanitized_filename.isascii():
+            is_valid_filename = False
+        unvalidated_file_path = f"{UPLOAD_DIR}/{unsanitized_filename}"
+        dereferenced_file_path = str(Path(unvalidated_file_path).resolve(strict=False))
+        if not dereferenced_file_path.startswith(UPLOAD_DIR):
+            is_valid_filename = False
+        if is_valid_filename:
+            file_path = dereferenced_file_path
+        else:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail=ERROR_MESSAGES.DEFAULT(),
+            )
        filename = file.filename
-        file_path = f"{UPLOAD_DIR}/{filename}"
        contents = file.file.read()
        with open(file_path, "wb") as f:
            f.write(contents)