From 853ace7d83424f85d903f6ffe2352bf41f86b7ce Mon Sep 17 00:00:00 2001
From: jfriedli
Date: Fri, 8 May 2020 09:10:18 -0700
Subject: Resolve "Fuzzing Errors /api/upload"

---
 matweb/rest_api.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'matweb/rest_api.py')

diff --git a/matweb/rest_api.py b/matweb/rest_api.py
index 4098050..a07d2d2 100644
--- a/matweb/rest_api.py
+++ b/matweb/rest_api.py
@@ -28,11 +28,15 @@ class APIUpload(Resource):
         args = req_parser.parse_args()
         try:
             file_data = base64.b64decode(args['file'])
-        except binascii.Error as err:
-            abort(400, message='Failed decoding file: ' + str(err))
+        except (binascii.Error, ValueError):
+            abort(400, message='Failed decoding file')
 
         file = FileStorage(stream=io.BytesIO(file_data), filename=args['file_name'])
-        filename, filepath = utils.save_file(file, self.upload_folder)
+        try:
+            filename, filepath = utils.save_file(file, self.upload_folder)
+        except ValueError:
+            abort(400, message='Invalid Filename')
+
         parser, mime = utils.get_file_parser(filepath)
 
         if parser is None:
-- 
cgit v1.3