Hey. My Rust ist not that good, so I am not sure if I might have overlooked something. Sorry for the noise, if this is the case. But I am testing this for an automated downloader script and looked at the code:
Here the filename is received:
|
return (name[..pos].to_string(), name[pos + 1..].to_string()); |
And here it is used to write the file:
|
let mut file = std::fs::File::create(&final_path) |
I am not sure if it was my other client or the servers sanitizing the name, so I do not think this is exploitable by other users. But if the server sends such a path, it could be ../.bashrc for example to overwrite files outside the download directory.
Maybe add a bit of sanitizing here?
I will try to open a PR. But feel free to close this issue and the PR if you think this is not relevant.
Hey. My Rust ist not that good, so I am not sure if I might have overlooked something. Sorry for the noise, if this is the case. But I am testing this for an automated downloader script and looked at the code:
Here the filename is received:
tgcli/src/app/send.rs
Line 2337 in f7686ad
And here it is used to write the file:
tgcli/src/app/send.rs
Line 2098 in f7686ad
I am not sure if it was my other client or the servers sanitizing the name, so I do not think this is exploitable by other users. But if the server sends such a path, it could be
../.bashrcfor example to overwrite files outside the download directory.Maybe add a bit of sanitizing here?
I will try to open a PR. But feel free to close this issue and the PR if you think this is not relevant.