From 8f86198cbc5e6552a456d2daad1dbd46f9fcda94 Mon Sep 17 00:00:00 2001
From: Nicolas Mowen <nickmowen213@gmail.com>
Date: Sat, 7 Oct 2023 08:01:49 -0600
Subject: [PATCH] Ensure deleted export file name is safe

---
 frigate/http.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/frigate/http.py b/frigate/http.py
index 94c24462c..8f345018b 100644
--- a/frigate/http.py
+++ b/frigate/http.py
@@ -11,6 +11,7 @@ from datetime import datetime, timedelta, timezone
 from functools import reduce
 from pathlib import Path
 from urllib.parse import unquote
+from werkzeug.utils import secure_filename
 
 import cv2
 import numpy as np
@@ -1820,7 +1821,8 @@ def export_recording(camera_name: str, start_time, end_time):
 
 @bp.route("/export/<file_name>", methods=["DELETE"])
 def export_delete(file_name: str):
-    file = os.path.join(EXPORT_DIR, file_name)
+    safe_file_name = secure_filename(file_name)
+    file = os.path.join(EXPORT_DIR, safe_file_name)
 
     if not os.path.exists(file):
         return make_response(