[Android] Prevent a path traversal issue when uploading file through the remote access

Nicolas Pomepuy git at videolan.org
Thu May 7 08:19:58 UTC 2026 

vlc-android | branch: master | Nicolas Pomepuy <nicolas at videolabs.io> | Tue Mar 31 13:18:17 2026 +0200| [4f0c7c7785a46d6e8ae3994b99cad74d19490ecd] | committer: Nicolas Pomepuy

Prevent a path traversal issue when uploading file through the remote access

> https://code.videolan.org/videolan/vlc-android/commit/4f0c7c7785a46d6e8ae3994b99cad74d19490ecd
---

 .../org/videolan/vlc/remoteaccessserver/RemoteAccessRouting.kt   | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/application/remote-access-server/src/main/java/org/videolan/vlc/remoteaccessserver/RemoteAccessRouting.kt b/application/remote-access-server/src/main/java/org/videolan/vlc/remoteaccessserver/RemoteAccessRouting.kt
index c2ea2fa3bc..52d33835ae 100644
--- a/application/remote-access-server/src/main/java/org/videolan/vlc/remoteaccessserver/RemoteAccessRouting.kt
+++ b/application/remote-access-server/src/main/java/org/videolan/vlc/remoteaccessserver/RemoteAccessRouting.kt
@@ -235,8 +235,13 @@ fun Route.setupRouting(appContext: Context, scope: CoroutineScope) {
                 is PartData.FileItem -> {
                     File("${AndroidDevices.MediaFolders.EXTERNAL_PUBLIC_DOWNLOAD_DIRECTORY_URI.path}/uploads").mkdirs()
                     fileName = part.originalFileName as String
-                    var fileBytes = part.streamProvider().readBytes()
-                    File("${AndroidDevices.MediaFolders.EXTERNAL_PUBLIC_DOWNLOAD_DIRECTORY_URI.path}/uploads/$fileName").writeBytes(fileBytes)
+                    val fileBytes = part.streamProvider().readBytes()
+                    val file = File("${AndroidDevices.MediaFolders.EXTERNAL_PUBLIC_DOWNLOAD_DIRECTORY_URI.path}/uploads/$fileName")
+                    if (file.canonicalFile.parent?.startsWith(File("${AndroidDevices.MediaFolders.EXTERNAL_PUBLIC_DOWNLOAD_DIRECTORY_URI.path}/uploads").absolutePath) != true) {
+                        call.respond(HttpStatusCode.Unauthorized)
+                        throw (IllegalStateException("${file.canonicalFile.parent} is not a valid path"))
+                    }
+                    file.writeBytes(fileBytes)
                 }
                 else -> {}
             }

More information about the Android mailing list