Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 16:46:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: check uploadName

Browse Source
This commit is contained in:
Barış Soner Uşaklı
2020-01-19 11:56:13 -05:00
parent 1656738359
commit 153b1a0eaa
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/user/uploads.js
View File

@@ -18,6 +18,10 @@ module.exports = function (User) {
throw new Error('[[error:no-privileges]]'); throw new Error('[[error:no-privileges]]');
} }
if (uploadName.startsWith('.')) {
throw new Error('[[error:invalid-path]]');
}
winston.verbose('[user/deleteUpload] Deleting ' + uploadName); winston.verbose('[user/deleteUpload] Deleting ' + uploadName);
await Promise.all([ await Promise.all([
file.delete(path.join(nconf.get('upload_path'), uploadName)), file.delete(path.join(nconf.get('upload_path'), uploadName)),