Do not overwrite saved media files

noctux · martinetd · commit d0b37bac786f · 2025-03-30T16:01:19.000+09:00
If a file with the requested filename already exists in --media-dir,
divert the write to a new, uniquely named file (based on the original
filename) via the tempfile crate.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -32,5 +32,6 @@ rand_core = { version = "0.9", features = ["os_rng"] }
 regex = "1.8"
 serde = "1.0"
 serde_json = "1.0"
+tempfile = "3.19.1"
 tokio = { version = "1.0.0", features = ["full"] }
 tokio-util = { version = "0.7", features = ["codec"] }
diff --git a/src/matrix/sync_room_message.rs b/src/matrix/sync_room_message.rs
@@ -25,6 +25,41 @@ use crate::matrix::verification::handle_verification_request;
 /// https://url.spec.whatwg.org/#fragment-percent-encode-set
 const FRAGMENT: &AsciiSet = &CONTROLS.add(b' ').add(b'"').add(b'<').add(b'>').add(b'`');
 
+async fn generate_fresh_file(dir: PathBuf, filename: &str) -> Result<(tokio::fs::File, String)> {
+    let fresh_filepath = tokio::task::spawn_blocking({
+        let filename = String::from(filename);
+        move || -> Result<PathBuf> {
+            let firstdotidx = filename.find('.');
+            let (prefix, suffix) = match firstdotidx {
+                Some(idx) => filename.split_at(idx),
+                None => (filename.as_str(), ""),
+            };
+            let (_, tmpfile) = tempfile::Builder::new()
+                .prefix(&(prefix.to_owned() + "-"))
+                .suffix(&suffix)
+                .tempfile_in(dir)?
+                .keep()?;
+            Ok(tmpfile)
+        }
+    })
+    .await??;
+    let fresh_filename = fresh_filepath
+        .file_name()
+        .context("Internal error: No filename component")?
+        .to_str()
+        .context("Internal error: Non-utf8 filename")?
+        .to_owned();
+    Ok((
+        fs::OpenOptions::new()
+            .write(true)
+            .create(true)
+            .truncate(true)
+            .open(fresh_filepath)
+            .await?,
+        fresh_filename,
+    ))
+}
+
 #[async_trait]
 pub trait SourceUri {
     async fn to_uri(&self, client: &Client, body: &str) -> Result<String>;
@@ -54,12 +89,28 @@ impl SourceUri for MediaSource {
                 .await?
         }
         let file = dir.join(filename);
-        fs::File::create(file).await?.write_all(&content).await?;
+        let plainfh = fs::OpenOptions::new()
+            .write(true)
+            .create_new(true)
+            .open(file)
+            .await;
+        let outfiletuple = match plainfh {
+            Ok(fh) => Ok((fh, filename.to_owned())),
+            Err(err) => {
+                if err.kind() == std::io::ErrorKind::AlreadyExists {
+                    generate_fresh_file(dir, filename).await
+                } else {
+                    Err(anyhow::Error::from(err))
+                }
+            }
+        };
+        let (mut fh, filename) = outfiletuple?;
+        fh.write_all(&content).await?;
         let url = args().media_url.as_ref().unwrap_or(dir_path);
         Ok(format!(
             "{}/{}",
             url,
-            utf8_percent_encode(filename, FRAGMENT)
+            utf8_percent_encode(&filename, FRAGMENT)
         ))
     }
 }
