Legacy file upload
What's broken on purpose:
- Path traversal — the uploaded filename is used
verbatim. A filename containing
../writes outsideuploads_public/. - Weak blacklist — only
.exe,.py,.sh,.phpare blocked, and the check is case-sensitive..HTML,.svg,.Php, double extensions, all pass. - No size cap, no magic-byte sniff.
- Public serving — accepted files are served back
at
/files/<name>, so.html/.svguploads enable stored XSS on subsequent fetch.
The JSON response echoes stored_path (resolved real path)
so you can confirm whether a traversal escaped the upload root.