aitzol/Plume
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make media extension parsing safer (#459)

Browse Source 
Only keep it if contains letters and numbers only, otherwise remove it.

To be merged before #452
This commit is contained in:
Baptiste Gelez 2019-03-06 14:09:43 +01:00 committed by GitHub
parent 2a188abfa1
commit a5e0486da0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/routes/medias.rs
View File

@ -35,9 +35,19 @@ pub fn upload(user: User, data: Data, ct: &ContentType, conn: DbConn) -> Result<
let filename = fields.get("file").and_then(|v| v.into_iter().next()) let filename = fields.get("file").and_then(|v| v.into_iter().next())
.ok_or_else(|| status::BadRequest(Some("No file uploaded")))?.headers .ok_or_else(|| status::BadRequest(Some("No file uploaded")))?.headers
.filename.clone(); .filename.clone();
let ext = filename.and_then(|f| f.rsplit('.').next().map(|ext| ext.to_owned())) // Remove extension if it contains something else than just letters and numbers
.unwrap_or_else(|| "png".to_owned()); let ext = filename
let dest = format!("static/media/{}.{}", GUID::rand().to_string(), ext); .and_then(|f| f
.rsplit('.')
.next()
.and_then(|ext| if ext.chars().any(|c| !c.is_alphanumeric()) {
None
} else {
Some(ext.to_lowercase())
})
.map(|ext| format!(".{}", ext))
).unwrap_or_default();
let dest = format!("static/media/{}{}", GUID::rand().to_string(), ext);
match fields["file"][0].data { match fields["file"][0].data {
SavedData::Bytes(ref bytes) => fs::write(&dest, bytes).map_err(|_| status::BadRequest(Some("Couldn't save upload")))?, SavedData::Bytes(ref bytes) => fs::write(&dest, bytes).map_err(|_| status::BadRequest(Some("Couldn't save upload")))?,