From 8941aa531138a5df553ee21efa6f3c9780e551c2 Mon Sep 17 00:00:00 2001
From: Nicolas Mowen <nickmowen213@gmail.com>
Date: Sat, 7 Oct 2023 08:12:48 -0600
Subject: [PATCH] Ensure deleted export file name is safe (#8089)

* Ensure deleted export file name is safe

* Fix import
---
 frigate/http.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/frigate/http.py b/frigate/http.py
index 94c24462c..f9b64b0a4 100644
--- a/frigate/http.py
+++ b/frigate/http.py
@@ -29,6 +29,7 @@ from peewee import DoesNotExist, fn, operator
 from playhouse.shortcuts import model_to_dict
 from playhouse.sqliteq import SqliteQueueDatabase
 from tzlocal import get_localzone_name
+from werkzeug.utils import secure_filename
 
 from frigate.config import FrigateConfig
 from frigate.const import (
@@ -1820,7 +1821,8 @@ def export_recording(camera_name: str, start_time, end_time):
 
 @bp.route("/export/<file_name>", methods=["DELETE"])
 def export_delete(file_name: str):
-    file = os.path.join(EXPORT_DIR, file_name)
+    safe_file_name = secure_filename(file_name)
+    file = os.path.join(EXPORT_DIR, safe_file_name)
 
     if not os.path.exists(file):
         return make_response(