improve performance when processing long unicode file names

When using a very UTF8 long file name, `secure_filename()` can slow down the FAME web server. This performance issue is similar to CVE-2023-46695 in django. This commit resolve the issue Thank you https://github.com/Sim4n6 for the report.
certsocietegenerale · Apr 29, 2024 · 22d1d6a · 22d1d6a
1 parent 2e3d8bc
commit 22d1d6a
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/fame/common/utils.py b/fame/common/utils.py
@@ -122,7 +122,12 @@ def with_timeout(func, timeout, step):
     return None
 
 def sanitize_filename(filename, alternative_name):
-    sanitized_filename = secure_filename(str(filename))
+    if not filename or len(filename) > 1024:
+        # CVE-2023-46695: avoid using secure_filename() when the name is too long
+        sanitized_filename = alternative_name
+    else:
+        sanitized_filename = secure_filename(str(filename))
+
     if not sanitized_filename or len(sanitized_filename) > 200:
         sanitized_filename = alternative_name
     sanitized_filename = sanitized_filename.replace('-', '_')