Filter invalid secrets on file uploads
Validates secrets provided to FileUploader in order to prevent directory traversal attacks. We generate 32-byte hexadecimal secrets now and 10-byte hexadecimal secrets in the past, so these are the only two valid formats permitted. Also adds a test that proves the exploit works without the change, and a test that proves the change resolves the exploit.
Showing
Please register or sign in to comment