apunkt/SurfSense
1
0
Fork 0
mirror of https://github.com/MODSetter/SurfSense.git synced 2026-05-19 18:45:15 +02:00
Code Issues Projects Releases Packages Wiki Activity

security: sanitize folder names in ZIP export paths

Browse source
This commit is contained in:
CREDO23 2026-04-09 13:39:36 +02:00
parent 7a7792fc79
commit b5f6e44fc3
1 changed files with 3 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
surfsense_backend/app/services/export_service.py
View file

@ -29,10 +29,11 @@ def _build_folder_path_map(folders: list[Folder]) -> dict[int, str]:
if folder_id in cache: if folder_id in cache:
return cache[folder_id] return cache[folder_id]
folder = id_to_folder[folder_id] folder = id_to_folder[folder_id]
safe_name = _sanitize_filename(folder.name)
if folder.parent_id is None or folder.parent_id not in id_to_folder: if folder.parent_id is None or folder.parent_id not in id_to_folder:
cache[folder_id] = folder.name cache[folder_id] = safe_name
else: else:
cache[folder_id] = f"{resolve(folder.parent_id)}/{folder.name}" cache[folder_id] = f"{resolve(folder.parent_id)}/{safe_name}"
return cache[folder_id] return cache[folder_id]
for f in folders: for f in folders: