diff options
| author | JoramWilander <jwawilander@gmail.com> | 2015-07-21 15:18:17 -0400 |
|---|---|---|
| committer | JoramWilander <jwawilander@gmail.com> | 2015-07-21 19:22:04 -0400 |
| commit | 39abf24708870cec71a84c01063e647b859b2b67 (patch) | |
| tree | 16b57362681ad4d771a89e11e649a6d942e8ccb6 /api/file.go | |
| parent | 04408eea375439d69b61d65155fea863b3b1834c (diff) | |
| download | chat-39abf24708870cec71a84c01063e647b859b2b67.tar.gz chat-39abf24708870cec71a84c01063e647b859b2b67.tar.bz2 chat-39abf24708870cec71a84c01063e647b859b2b67.zip | |
added sanitization to filenames to remove the possibility of relative paths
Diffstat (limited to 'api/file.go')
| -rw-r--r-- | api/file.go | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/api/file.go b/api/file.go index 2abaca709..1dd179422 100644 --- a/api/file.go +++ b/api/file.go @@ -89,9 +89,11 @@ func uploadFile(c *Context, w http.ResponseWriter, r *http.Request) { buf := bytes.NewBuffer(nil) io.Copy(buf, file) + filename := filepath.Base(files[i].Filename) + uid := model.NewId() - path := "teams/" + c.Session.TeamId + "/channels/" + channelId + "/users/" + c.Session.UserId + "/" + uid + "/" + files[i].Filename + path := "teams/" + c.Session.TeamId + "/channels/" + channelId + "/users/" + c.Session.UserId + "/" + uid + "/" + filename if err := writeFile(buf.Bytes(), path); err != nil { c.Err = err @@ -99,11 +101,11 @@ func uploadFile(c *Context, w http.ResponseWriter, r *http.Request) { } if model.IsFileExtImage(filepath.Ext(files[i].Filename)) { - imageNameList = append(imageNameList, uid+"/"+files[i].Filename) + imageNameList = append(imageNameList, uid+"/"+filename) imageDataList = append(imageDataList, buf.Bytes()) } - encName := utils.UrlEncode(files[i].Filename) + encName := utils.UrlEncode(filename) fileUrl := "/" + channelId + "/" + c.Session.UserId + "/" + uid + "/" + encName resStruct.Filenames = append(resStruct.Filenames, fileUrl) |