FIX: only allow printable characters in uploads filename

2024-11-22 15:52:11 +08:00 · 2018-08-21 18:11:01 +02:00 · 2018-08-21 18:11:01 +02:00 · d1607a387a
commit d1607a387a
parent e94b5b4d78
2 changed files with 3 additions and 3 deletions
--- a/lib/upload_creator.rb
+++ b/lib/upload_creator.rb
@ -22,8 +22,8 @@ class UploadCreator
  #  - for_export (boolean)
  def initialize(file, filename, opts = {})
    @file = file
-    @filename = filename || ''
-    @upload = Upload.new(original_filename: filename, filesize: 0)
+    @filename = (filename || "").gsub(/[^[:print:]]/, "")
+    @upload = Upload.new(original_filename: @filename, filesize: 0)
    @opts = opts
  end

--- a/spec/lib/upload_creator_spec.rb
+++ b/spec/lib/upload_creator_spec.rb
@ -14,7 +14,7 @@ RSpec.describe UploadCreator do

      it 'should store the upload with the right extension' do
        expect do
-          UploadCreator.new(file, filename).create_for(user.id)
+          UploadCreator.new(file, "utf-8\n.txt").create_for(user.id)
        end.to change { Upload.count }.by(1)

        upload = Upload.last