PurePosixPath doesn't understand Windows drive letters, so paths like
C:/Windows/secret.png or C:secret.png would pass validation but escape
the output directory when joined via os.path.join on Windows.
Add PureWindowsPath check to detect drive-qualified paths on all
platforms. Added tests for Windows drive absolute, relative, and
backslash path variants.
Normalize backslashes to forward slashes before checking for path
traversal patterns, preventing attacks like `folder\..\secret` that
bypass forward-slash-only checks on Windows. Addresses review feedback
from light-and-ray on PR #12353.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fixes#12352
The previous validation incorrectly rejected filenames with consecutive dots
(e.g., test..png) by checking if '..' exists anywhere in the filename.
This commit refines the validation to:
- Block actual path traversal patterns: '../', '/..'
- Block filenames starting with '..' (e.g., '..secret')
- Block absolute paths starting with '/'
- Allow consecutive dots in filenames (e.g., 'test..png', 'my...file.jpg')
Changes:
- Updated validation logic in /view and /upload/mask endpoints
- Added comprehensive test suite covering both security and functionality
- All tests pass: blocks path traversal, allows valid filenames with dots
