Sanitize media upload filenames. Closes #397.
This commit is contained in:
parent
fc84082c87
commit
5988ea36cb
3 changed files with 6 additions and 12 deletions
|
@ -51,7 +51,7 @@ func handleUploadMedia(c echo.Context) error {
|
|||
}
|
||||
|
||||
// Generate filename
|
||||
fName := generateFileName(file.Filename)
|
||||
fName := makeFilename(file.Filename)
|
||||
|
||||
// Read file contents in memory
|
||||
src, err := file.Open()
|
||||
|
|
|
@ -4,6 +4,7 @@ import (
|
|||
"bytes"
|
||||
"crypto/rand"
|
||||
"fmt"
|
||||
"path/filepath"
|
||||
"regexp"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
@ -25,13 +26,13 @@ func inArray(val string, vals []string) (ok bool) {
|
|||
return false
|
||||
}
|
||||
|
||||
// generateFileName appends the incoming file's name with a small random hash.
|
||||
func generateFileName(fName string) string {
|
||||
// makeFilename sanitizes a filename (user supplied upload filenames).
|
||||
func makeFilename(fName string) string {
|
||||
name := strings.TrimSpace(fName)
|
||||
if name == "" {
|
||||
name, _ = generateRandomString(10)
|
||||
}
|
||||
return name
|
||||
return filepath.Base(name)
|
||||
}
|
||||
|
||||
// Given an error, pqErrMsg will try to return pq error details
|
||||
|
|
|
@ -8,7 +8,6 @@ import (
|
|||
"path/filepath"
|
||||
"regexp"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"github.com/knadh/listmonk/internal/media"
|
||||
)
|
||||
|
@ -43,13 +42,7 @@ func NewDiskStore(opts Opts) (media.Store, error) {
|
|||
// Put accepts the filename, the content type and file object itself and stores the file in disk.
|
||||
func (c *Client) Put(filename string, cType string, src io.ReadSeeker) (string, error) {
|
||||
var out *os.File
|
||||
// There's no explicit name. Use the one posted in the HTTP request.
|
||||
if filename == "" {
|
||||
filename = strings.TrimSpace(filename)
|
||||
if filename == "" {
|
||||
filename, _ = generateRandomString(10)
|
||||
}
|
||||
}
|
||||
|
||||
// Get the directory path
|
||||
dir := getDir(c.opts.UploadPath)
|
||||
filename = assertUniqueFilename(dir, filename)
|
||||
|
|
Loading…
Reference in a new issue