[Bug] print client shoud send file basename instead of the relative path #2885

cubercsl · 2024-12-24T08:49:49Z

Description of the problem

The printing API added in 68c297e should also validate the originalName.

Print client should send file basename instead of the relative path.

Previously, the originalName was taken from the upload form, but now the user is free to enter it, which may affect some printing backend.

Your environment

DOMJudge master

The text was updated successfully, but these errors were encountered:

Kevinjil · 2025-01-28T21:26:38Z

I rechecked the code, and this is not a bug. The orignalName was never safe to use without sanitation in the print backend.

Quoting the Symfony docs:

Using the original name via getClientOriginalName() or getClientOriginalPath is not safe as it could have been manipulated by the end-user. Moreover, it can contain characters that are not allowed in file names. You should sanitize the value before using it directly.

I think it should explicitly not be a basename to allow teams to see which path they sent to the printer. If the printing backend expects a basename, it should sanitize it.

Kevinjil self-assigned this Dec 24, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug] print client shoud send file basename instead of the relative path #2885

[Bug] print client shoud send file basename instead of the relative path #2885

cubercsl commented Dec 24, 2024 •

edited

Loading

Kevinjil commented Jan 28, 2025 •

edited

Loading

[Bug] print client shoud send file basename instead of the relative path #2885

[Bug] print client shoud send file basename instead of the relative path #2885

Comments

cubercsl commented Dec 24, 2024 • edited Loading

Description of the problem

Your environment

Kevinjil commented Jan 28, 2025 • edited Loading

cubercsl commented Dec 24, 2024 •

edited

Loading

Kevinjil commented Jan 28, 2025 •

edited

Loading