Fix possible server-size DoS vulnerability

KirillSmirnov · KirillSmirnov · commit 5ad623eb0405 · 2024-01-27T21:44:07.000+03:00
Signed-off-by: Kirill K. Smirnov &lt;kirill.k.smirnov@gmail.com&gt;
diff --git a/src/flask_se_auth.py b/src/flask_se_auth.py
@@ -248,6 +248,12 @@ def upload_avatar():
         if file.filename == "":
             flash("No selected file")
             return redirect(request.url)
+        # Sanity check: limit uploadable filename
+        # to avoid excessive burden to NFKD normalization
+        # in secure_filename() method
+        if len(file.filename) > 1000:
+            flash("Filename too long")
+            return redirect(request.url)
         if file and allowed_file(file.filename):
             filename = secure_filename(file.filename)
             new_filename = os.urandom(16).hex()
