From 2100ca5d66afd70498a5c1979bebd99156416ba1 Mon Sep 17 00:00:00 2001
From: Holger Weiss <holger@zedat.fu-berlin.de>
Date: Fri, 20 Jul 2018 23:34:34 +0200
Subject: [PATCH] Apply file name sanitization for GET requests

Perform the same file name sanitization for GET requests as for PUT
requests.
---
 upload.pm | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/upload.pm b/upload.pm
index eb558b3..54f286b 100644
--- a/upload.pm
+++ b/upload.pm
@@ -61,11 +61,12 @@ sub handle {
 
 sub handle_get_or_head {
     my $r = shift;
+    my $file_path = safe_filename($r);
 
-    if (-r $r->filename and -f _) {
+    if (-r $file_path and -f _) {
         $r->allow_ranges;
         $r->send_http_header;
-        $r->sendfile($r->filename) unless $r->header_only;
+        $r->sendfile($file_path) unless $r->header_only;
         return OK;
     } else {
         return DECLINED;
@@ -100,8 +101,7 @@ sub handle_put {
 
 sub handle_put_body {
     my $r = shift;
-    my $safe_uri = $r->uri =~ s|[^\p{Alnum}/_.-]|_|gr;
-    my $file_path = substr($r->filename, 0, -length($r->uri)) . $safe_uri;
+    my $file_path = safe_filename($r);
     my $dir_path = dirname($file_path);
 
     make_path($dir_path, {chmod => $dir_mode, error => \my $error});
@@ -180,6 +180,13 @@ sub add_custom_headers {
     }
 }
 
+sub safe_filename {
+    my $r = shift;
+    my $safe_uri = $r->uri =~ s|[^\p{Alnum}/_.-]|_|gr;
+
+    return substr($r->filename, 0, -length($r->uri)) . $safe_uri;
+}
+
 sub safe_eq {
     my $a = shift;
     my $b = shift;