From 928ec71a56241fd8ae91ec4c1a1866bdbd219b5a Mon Sep 17 00:00:00 2001
From: Draget <3639577+dragetd@users.noreply.github.com>
Date: Sat, 9 May 2026 12:03:24 +0200
Subject: [PATCH] Sanitize downloaded filenames

This makes sure, the filenames sent by the server are sanitized from path separators and directory traversals (. / ..), defaulting to 'document' if nothing is left.

Fixes #7
---
 src/app/send.rs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/app/send.rs b/src/app/send.rs
index dca6cbe..27487f9 100644
--- a/src/app/send.rs
+++ b/src/app/send.rs
@@ -2332,7 +2332,11 @@ fn get_media_filename(media: &grammers_client::types::Media, msg_id: i64) -> (St
         Media::Document(doc) => {
             // Try to get original filename
             if !doc.name().is_empty() {
-                let name = doc.name();
+                let name = doc
+                    .name()
+                    .rsplit(['/', '\\'])
+                    .find(|part| !part.is_empty() && *part != "." && *part != "..")
+                    .unwrap_or("document");
                 if let Some(pos) = name.rfind('.') {
                     return (name[..pos].to_string(), name[pos + 1..].to_string());
                 }