1 files changed, 14 insertions, 1 deletions

diff --git a/app/saml.go b/app/saml.go
index 92f0e1f0e..e2bf4ccb2 100644
--- a/app/saml.go
+++ b/app/saml.go
@@ -12,6 +12,7 @@ import (
 	"github.com/mattermost/platform/einterfaces"
 	"github.com/mattermost/platform/model"
 	"github.com/mattermost/platform/utils"
+	"path/filepath"
 )
 
 func GetSamlMetadata() (string, *model.AppError) {
@@ -29,13 +30,19 @@ func GetSamlMetadata() (string, *model.AppError) {
 }
 
 func WriteSamlFile(fileData *multipart.FileHeader) *model.AppError {
+	filename := filepath.Base(fileData.Filename)
+
+	if filename == "." || filename == string(filepath.Separator) {
+		return model.NewLocAppError("AddSamlCertificate", "api.admin.add_certificate.saving.app_error", nil, "")
+	}
+
 	file, err := fileData.Open()
 	defer file.Close()
 	if err != nil {
 		return model.NewLocAppError("AddSamlCertificate", "api.admin.add_certificate.open.app_error", nil, err.Error())
 	}
 
-	out, err := os.Create(utils.FindDir("config") + fileData.Filename)
+	out, err := os.Create(utils.FindDir("config") + filename)
 	if err != nil {
 		return model.NewLocAppError("AddSamlCertificate", "api.admin.add_certificate.saving.app_error", nil, err.Error())
 	}
@@ -106,6 +113,12 @@ func AddSamlIdpCertificate(fileData *multipart.FileHeader) *model.AppError {
 }
 
 func RemoveSamlFile(filename string) *model.AppError {
+	filename = filepath.Base(filename)
+
+	if filename == "." || filename == string(filepath.Separator) {
+		return model.NewLocAppError("AddSamlCertificate", "api.admin.remove_certificate.delete.app_error", nil, "")
+	}
+
 	if err := os.Remove(utils.FindConfigFile(filename)); err != nil {
 		return model.NewLocAppError("removeCertificate", "api.admin.remove_certificate.delete.app_error",
 			map[string]interface{}{"Filename": filename}, err.Error())