From 566c432601977815c61c42b9233f4e36634f0d2c Mon Sep 17 00:00:00 2001
From: CaffeineFueled <hello@uphillsecurity.com>
Date: Mon, 25 May 2026 13:29:00 +0200
Subject: [PATCH] sec: ADD exclusive-create to prevent colliisions #23

---
 main.py | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/main.py b/main.py
index 1e6bfb4..4438d10 100644
--- a/main.py
+++ b/main.py
@@ -282,19 +282,20 @@ async def upload_text(request: Request, authorized: bool = Depends(validate_uplo
             reason="empty_content")
         raise HTTPException(status_code=400, detail="Empty content")
 
-    random_path = generate_random_path()
-    while (UPLOAD_DIR / random_path).exists():
-        random_path = generate_random_path()
-
-    file_path = UPLOAD_DIR / random_path
-
     try:
         # Generate deletion token
         deletion_token = generate_deletion_token()
 
-        # Save paste content
-        with open(file_path, 'w', encoding='utf-8') as f:
-            f.write(content)
+        # Use O_CREAT|O_EXCL (mode 'x') so the kernel rejects collisions atomically
+        while True:
+            random_path = generate_random_path()
+            file_path = UPLOAD_DIR / random_path
+            try:
+                with open(file_path, 'x', encoding='utf-8') as f:
+                    f.write(content)
+                break
+            except FileExistsError:
+                continue
 
         # Save metadata with deletion token
         save_metadata(random_path, deletion_token, client_ip)