Do not overwrite saved media files

noctux · martinetd · commit e017b3bded4b · 2025-03-31T07:47:11.000+09:00
If a file with the requested filename already exists in --media-dir,
divert the write to a new, uniquely named file (based on the original
filename) via the tempfile crate.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -32,5 +32,6 @@ rand_core = { version = "0.9", features = ["os_rng"] }
 regex = "1.8"
 serde = "1.0"
 serde_json = "1.0"
+tempfile = "3.19.1"
 tokio = { version = "1.0.0", features = ["full"] }
 tokio-util = { version = "0.7", features = ["codec"] }
diff --git a/src/matrix/sync_room_message.rs b/src/matrix/sync_room_message.rs
@@ -12,7 +12,9 @@ use matrix_sdk::{
     Client, RoomState,
 };
 use percent_encoding::{utf8_percent_encode, AsciiSet, CONTROLS};
-use std::path::PathBuf;
+use std::ffi::OsStr;
+use std::path::{Path, PathBuf};
+
 use tokio::fs;
 use tokio::io::AsyncWriteExt;
 
@@ -25,6 +27,37 @@ use crate::matrix::verification::handle_verification_request;
 /// https://url.spec.whatwg.org/#fragment-percent-encode-set
 const FRAGMENT: &AsciiSet = &CONTROLS.add(b' ').add(b'"').add(b'<').add(b'>').add(b'`');
 
+async fn generate_fresh_file(dir: PathBuf, filename: &str) -> Result<(tokio::fs::File, String)> {
+    let filename = Path::new(filename);
+    let prefix = filename
+        .file_stem()
+        .and_then(OsStr::to_str)
+        .map(|s| format!("{}-", s))
+        .unwrap_or_else(|| "noname-".to_string());
+    let suffix = filename
+        .extension()
+        .and_then(OsStr::to_str)
+        .map(|s| format!(".{}", s))
+        .unwrap_or_default();
+
+    tokio::task::spawn_blocking(move || {
+        let (filehandle, filepath) = tempfile::Builder::new()
+            .prefix(&prefix)
+            .suffix(&suffix)
+            .tempfile_in(dir)?
+            .keep()?;
+
+        let fresh_filename = filepath
+            .file_name()
+            .context("Internal error: No filename component")?
+            .to_str()
+            .context("Internal error: Non-utf8 filename")?
+            .to_owned();
+        Ok((tokio::fs::File::from(filehandle), fresh_filename))
+    })
+    .await?
+}
+
 #[async_trait]
 pub trait SourceUri {
     async fn to_uri(&self, client: &Client, body: &str) -> Result<String>;
@@ -54,12 +87,28 @@ impl SourceUri for MediaSource {
                 .await?
         }
         let file = dir.join(filename);
-        fs::File::create(file).await?.write_all(&content).await?;
+        let plainfh = fs::OpenOptions::new()
+            .write(true)
+            .create_new(true)
+            .open(file)
+            .await;
+        let outfiletuple = match plainfh {
+            Ok(fh) => Ok((fh, filename.to_owned())),
+            Err(err) => {
+                if err.kind() == std::io::ErrorKind::AlreadyExists {
+                    generate_fresh_file(dir, filename).await
+                } else {
+                    Err(anyhow::Error::from(err))
+                }
+            }
+        };
+        let (mut fh, filename) = outfiletuple?;
+        fh.write_all(&content).await?;
         let url = args().media_url.as_ref().unwrap_or(dir_path);
         Ok(format!(
             "{}/{}",
             url,
-            utf8_percent_encode(filename, FRAGMENT)
+            utf8_percent_encode(&filename, FRAGMENT)
         ))
     }
 }
