From 22d1d6a520c6b7fd41a89d933bc4d18cafd7b1ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?CERT=20Soci=C3=A9t=C3=A9=20G=C3=A9n=C3=A9rale?=
 <cert.sg@socgen.com>
Date: Mon, 29 Apr 2024 16:48:00 +0200
Subject: [PATCH]  improve performance when processing long unicode file names

When using a very UTF8 long file name, `secure_filename()` can slow down the FAME web server.

This performance issue is similar to CVE-2023-46695 in django. This commit resolve the issue

Thank you https://github.com/Sim4n6 for the report.
---
 fame/common/utils.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/fame/common/utils.py b/fame/common/utils.py
index 159ad1c..400883e 100755
--- a/fame/common/utils.py
+++ b/fame/common/utils.py
@@ -122,7 +122,12 @@ def with_timeout(func, timeout, step):
     return None
 
 def sanitize_filename(filename, alternative_name):
-    sanitized_filename = secure_filename(str(filename))
+    if not filename or len(filename) > 1024:
+        # CVE-2023-46695: avoid using secure_filename() when the name is too long
+        sanitized_filename = alternative_name
+    else:
+        sanitized_filename = secure_filename(str(filename))
+
     if not sanitized_filename or len(sanitized_filename) > 200:
         sanitized_filename = alternative_name
     sanitized_filename = sanitized_filename.replace('-', '_')