From 1f217d65a01e26464bb60ee211f2219776bea7bc Mon Sep 17 00:00:00 2001 From: Janek Bevendorff Date: Sun, 8 Mar 2026 17:50:48 +0100 Subject: [PATCH] Sanitise attachment file names before saving (#13114) Reported by @yuki-matsuhashi --- src/gui/entry/EntryAttachmentsWidget.cpp | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/gui/entry/EntryAttachmentsWidget.cpp b/src/gui/entry/EntryAttachmentsWidget.cpp index 523850010..0cd45d157 100644 --- a/src/gui/entry/EntryAttachmentsWidget.cpp +++ b/src/gui/entry/EntryAttachmentsWidget.cpp @@ -27,6 +27,7 @@ #include #include #include +#include #include #include @@ -368,8 +369,9 @@ void EntryAttachmentsWidget::saveSelectedAttachments() QStringList errors; for (const QModelIndex& index : indexes) { - const QString filename = m_attachmentsModel->keyByIndex(index); - const QString attachmentPath = saveDir.absoluteFilePath(filename); + QString attachmentKey = m_attachmentsModel->keyByIndex(index); + const QString fileNameSanitized = attachmentKey.replace(QRegExp("[/\\\\]"), ""); + const QString attachmentPath = saveDir.absoluteFilePath(fileNameSanitized); if (QFileInfo::exists(attachmentPath)) { @@ -382,7 +384,7 @@ void EntryAttachmentsWidget::saveSelectedAttachments() tr("Are you sure you want to overwrite the existing file \"%1\" with the attachment?")); auto result = MessageBox::question( - this, tr("Confirm overwrite"), questionText.arg(filename), buttons, MessageBox::Cancel); + this, tr("Confirm overwrite"), questionText.arg(fileNameSanitized), buttons, MessageBox::Cancel); if (result == MessageBox::Skip) { continue; @@ -392,11 +394,11 @@ void EntryAttachmentsWidget::saveSelectedAttachments() } QFile file(attachmentPath); - const QByteArray attachmentData = m_entryAttachments->value(filename); + const QByteArray attachmentData = m_entryAttachments->value(attachmentKey); const bool saveOk = file.open(QIODevice::WriteOnly) && file.setPermissions(QFile::ReadUser | QFile::WriteUser) && file.write(attachmentData) == attachmentData.size(); if (!saveOk) { - errors.append(QString("%1 - %2").arg(filename, file.errorString())); + errors.append(QString("%1 - %2").arg(fileNameSanitized, file.errorString())); } }