Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 16:46:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: bug with Topics.resizeAndUploadThumb not checking for extension validity

Browse Source
This commit is contained in:
Julian Lam
2020-11-23 17:03:02 -05:00
parent 2b73a14e42
commit eab4ca7104
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/topics/thumb.js
View File

@@ -23,6 +23,8 @@ module.exports = function (Topics) {
const pipeToFileAsync = util.promisify(pipeToFile); const pipeToFileAsync = util.promisify(pipeToFile);
Topics.resizeAndUploadThumb = async function (data) { Topics.resizeAndUploadThumb = async function (data) {
const allowedExtensions = file.allowedExtensions();
// Handle protocol-relative URLs // Handle protocol-relative URLs
if (data.thumb && data.thumb.startsWith('//')) { if (data.thumb && data.thumb.startsWith('//')) {
data.thumb = `${nconf.get('secure') ? 'https' : 'http'}:${data.thumb}`; data.thumb = `${nconf.get('secure') ? 'https' : 'http'}:${data.thumb}`;
@@ -45,6 +47,11 @@ module.exports = function (Topics) {
if (!extension) { if (!extension) {
extension = '.' + mime.getExtension(type); extension = '.' + mime.getExtension(type);
} }
if (!allowedExtensions.includes(extension)) {
throw new Error('[[error:invalid-file]]');
}
const filename = Date.now() + '-topic-thumb' + extension; const filename = Date.now() + '-topic-thumb' + extension;
const folder = 'files'; const folder = 'files';
pathToUpload = path.join(nconf.get('upload_path'), folder, filename); pathToUpload = path.join(nconf.get('upload_path'), folder, filename);