added safer filenames in _parse_multipart

patx · Feb 11, 2025 · 51f0b79 · 51f0b79
1 parent 9359e51
commit 51f0b79
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/MicroPie.py b/MicroPie.py
@@ -308,7 +308,11 @@ async def _parse_multipart(self, reader: asyncio.StreamReader, boundary: bytes)
             upload_directory: str = "uploads"
             await aiofiles.os.makedirs(upload_directory, exist_ok=True)
             while not parser.closed:
-                chunk: bytes = await reader.read(65536)
+                try:
+                    chunk: bytes = await reader.read(65536)
+                except Exception as e:
+                    print(f"Error readinf multipart data: {e}")
+                    break
                 for result in parser.parse(chunk):
                     if isinstance(result, MultipartSegment):
                         current_field_name = result.name
@@ -320,6 +324,7 @@ async def _parse_multipart(self, reader: asyncio.StreamReader, boundary: bytes)
                                 current_content_type = value
                         if current_filename:
                             safe_filename: str = f"{uuid.uuid4()}_{current_filename}"
+                            safe_filename = re.sub(r"[^a-zA-Z0-9_.-]", "_", safe_filename)
                             file_path: str = os.path.join(upload_directory, safe_filename)
                             current_file = await aiofiles.open(file_path, "wb")
                         else: