diff --git a/frigate/api/media.py b/frigate/api/media.py index 519467643..89ea98512 100644 --- a/frigate/api/media.py +++ b/frigate/api/media.py @@ -392,7 +392,14 @@ def recording_clip(camera_name, start_ts, end_ts): if clip.end_time > end_ts: playlist_lines.append(f"outpoint {int(end_ts - clip.start_time)}") - file_name = secure_filename(f"clip_{camera_name}_{start_ts}-{end_ts}.mp4") + file_name = f"clip_{camera_name}_{start_ts}-{end_ts}.mp4" + + if len(file_name) > 1000: + return make_response( + jsonify({"success": False, "message": "Filename exceeded max length of 1000"}), 403 + ) + + file_name = secure_filename(file_name) path = os.path.join(CACHE_DIR, file_name) if not os.path.exists(path): @@ -1167,7 +1174,14 @@ def preview_gif(camera_name: str, start_ts, end_ts, max_cache_age=2592000): @MediaBp.route("//start//end//preview.mp4") @MediaBp.route("//start//end//preview.mp4") def preview_mp4(camera_name: str, start_ts, end_ts): - file_name = secure_filename(f"clip_{camera_name}_{start_ts}-{end_ts}.mp4") + file_name = f"clip_{camera_name}_{start_ts}-{end_ts}.mp4" + + if len(file_name) > 1000: + return make_response( + jsonify({"success": False, "message": "Filename exceeded max length of 1000 characters."}), 403 + ) + + file_name = secure_filename(file_name) path = os.path.join(CACHE_DIR, file_name) if datetime.fromtimestamp(start_ts) < datetime.now().replace(minute=0, second=0): @@ -1337,6 +1351,11 @@ def review_preview(id: str): @MediaBp.route("/preview//thumbnail.webp") def preview_thumbnail(file_name: str): """Get a thumbnail from the cached preview frames.""" + if len(file_name) > 1000: + return make_response( + jsonify({"success": False, "message": "Filename exceeded max length of 1000"}), 403 + ) + safe_file_name_current = secure_filename(file_name) preview_dir = os.path.join(CACHE_DIR, "preview_frames")