Merge pull request #586 from caeroltheplasmoid/cve-fix

Critical: 585 fix file overwrite
2024-10-22 09:22:27 +08:00
parent 32f29d6112 0e4067b3bc
commit d7089497cc
1 changed files with 5 additions and 2 deletions
--- a/iopaint/api.py
+++ b/iopaint/api.py
@@ -183,9 +183,12 @@ class Api:
        return self.app.add_api_route(path, endpoint, **kwargs)

    def api_save_image(self, file: UploadFile):
-        filename = file.filename
+        file_to_write = Path(file.filename)
+        if not file_to_write.is_file():
+            return
+        
        origin_image_bytes = file.file.read()
-        with open(self.config.output_dir / filename, "wb") as fw:
+        with open(self.config.output_dir / file_to_write.name, "wb") as fw:
            fw.write(origin_image_bytes)

    def api_current_model(self) -> ModelInfo: