From 030e86e205d558cb23fd1e8807d53034c942a8fa Mon Sep 17 00:00:00 2001
From: James Magahern <james@magahern.com>
Date: Fri, 29 Mar 2024 17:08:04 -0700
Subject: [PATCH] uploadAttachment: [Security] sanitize incoming filename

---
 .../Bridge/Operations/MBIMUploadAttachmentOperation.m    | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/kordophone/Bridge/Operations/MBIMUploadAttachmentOperation.m b/kordophone/Bridge/Operations/MBIMUploadAttachmentOperation.m
index 3ec8a64..832b5c1 100644
--- a/kordophone/Bridge/Operations/MBIMUploadAttachmentOperation.m
+++ b/kordophone/Bridge/Operations/MBIMUploadAttachmentOperation.m
@@ -38,7 +38,14 @@
             break;
         }
         
-        NSString *localPath = [NSTemporaryDirectory() stringByAppendingPathComponent:filename];
+        // Sanitize filename
+        NSCharacterSet *dotCharacter = [NSCharacterSet characterSetWithCharactersInString:@"."];
+		NSCharacterSet *illegalFileNameCharacters = [NSCharacterSet characterSetWithCharactersInString:@"/\\?%*|\"<>"];
+		NSString *sanitizedFilename = [[[filename componentsSeparatedByCharactersInSet:illegalFileNameCharacters]
+			componentsJoinedByString:@"-"]
+			stringByTrimmingCharactersInSet:dotCharacter];
+
+        NSString *localPath = [NSTemporaryDirectory() stringByAppendingPathComponent:sanitizedFilename];
         NSURL *localURL = [NSURL fileURLWithPath:localPath];
         BOOL success = [attachmentData writeToURL:localURL atomically:NO];
         if (!success) {