From be96ef3c69aa497dd0a663de6cc3318fa7d77893 Mon Sep 17 00:00:00 2001 From: anon Date: Sat, 5 Jul 2025 23:39:24 +0200 Subject: [PATCH] fix bug, implement overwritting, bump todo --- TODO.md | 4 +++- upchud.tcl | 12 ++++++++++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/TODO.md b/TODO.md index 90d4c51..9ae4aff 100644 --- a/TODO.md +++ b/TODO.md @@ -1,2 +1,4 @@ -* configurable force overwritting * include some tmp file cleaner scripts or atleast leave recommendations +* by spoofing the request, it might be currently possible to upload files +to a parent dictionary; this should be tested and fixed, but should be fine +as long as the person running the service doesnt run it as root diff --git a/upchud.tcl b/upchud.tcl index 544994a..6e39fd6 100755 --- a/upchud.tcl +++ b/upchud.tcl @@ -15,6 +15,8 @@ set mangle_char_set {0123456789abcdefghijklmnopqrstuvwxyz} # $::mangle_lenght and $::mangle_char_set are small, you could end up with a dead lock. # This value is the fail-safe. set max_save_attempts 20 +# Alternative to $::max_save_attempts. When on, collisons clobber. +set overwrite_uploads 0 # The output of this function is (ideally) what the user will see. # I have provided a few default behaviours, but you do you champ. proc send_success {upload_name} { @@ -107,13 +109,19 @@ proc get_out_name {orig_name} { return $name } - if { $::mangle_lenght == 0 } { return $orig_name } + if { $::mangle_lenght == 0 } { + if { $::overwrite_uploads || ![file exists $out_name] } { + return "$::outdir/$orig_name" + } else { + raise_fatal + } + } set extension [file extension $orig_name] for { set tries 1 } { $tries <= $::max_save_attempts } { incr tries } { set out_name "$::outdir/[get_random_name]$extension" - if { ![file exists $out_name] } { break } + if { $::overwrite_uploads || ![file exists $out_name] } { break } } return $out_name -- 2.39.5