From 0eeb8ea74eca1dd97db9b1fac0d7f9ce03390b69 Mon Sep 17 00:00:00 2001
From: niggy <niggygitlab@proton.me>
Date: Mon, 4 Sep 2023 08:47:01 +0000
Subject: [PATCH] Update pack.ex

---
 lib/pleroma/emoji/pack.ex | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/lib/pleroma/emoji/pack.ex b/lib/pleroma/emoji/pack.ex
index 6e58f88981..6b18025a84 100644
--- a/lib/pleroma/emoji/pack.ex
+++ b/lib/pleroma/emoji/pack.ex
@@ -28,6 +28,8 @@ defmodule Pleroma.Emoji.Pack do
 
   @spec create(String.t()) :: {:ok, t()} | {:error, File.posix()} | {:error, :empty_values}
   def create(name) do
+    name = safe_path(name)
+
     with :ok <- validate_not_empty([name]),
          dir <- Path.join(emoji_path(), name),
          :ok <- File.mkdir(dir) do
@@ -472,6 +474,7 @@ defp validate_not_empty(list) do
   end
 
   defp save_file(%Plug.Upload{path: upload_path}, pack, filename) do
+    filename = safe_path(filename)
     file_path = Path.join(pack.path, filename)
     create_subdirs(file_path)
 
@@ -491,6 +494,8 @@ defp delete_emoji(pack, shortcode) do
   end
 
   defp rename_file(pack, filename, new_filename) do
+    filename = safe_path(filename)
+    new_filename = safe_path(new_filename)
     old_path = Path.join(pack.path, filename)
     new_path = Path.join(pack.path, new_filename)
     create_subdirs(new_path)
@@ -652,4 +657,13 @@ defp validate_has_all_files(pack, zip) do
       |> if(do: :ok, else: {:error, :incomplete})
     end
   end
+
+  defp safe_path(path) do
+    elems = Path.split(path) |> Enum.reject(fn x -> x == ".." end)
+
+    case length(elems) do
+      x when x < 2 -> Enum.join(elems)
+      _ -> Path.join(elems)
+    end
+  end
 end