hyperzlib
/
nodebb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: delete upload

Browse Source
v1.18.x
Barış Soner Uşaklı 5 years ago
parent d74eecfbe8
commit 8c6a7954cf
2 changed files with 23 additions and 6 deletions
Show Stats Download Patch File Download Diff File

8
src/user/uploads.js
Unescape Escape View File

@ -18,14 +18,14 @@ module.exports = function (User) {
throw new Error('[[error:no-privileges]]'); throw new Error('[[error:no-privileges]]');
} }
if (uploadName.startsWith('.')) { const finalPath = path.join(nconf.get('upload_path'), uploadName);
if (!finalPath.startsWith(nconf.get('upload_path'))) {
throw new Error('[[error:invalid-path]]'); throw new Error('[[error:invalid-path]]');
} }
winston.verbose('[user/deleteUpload] Deleting ' + uploadName); winston.verbose('[user/deleteUpload] Deleting ' + uploadName);
await Promise.all([ await Promise.all([
file.delete(path.join(nconf.get('upload_path'), uploadName)), file.delete(finalPath),
file.delete(path.join(nconf.get('upload_path'), path.dirname(uploadName), path.basename(uploadName, path.extname(uploadName)) + '-resized' + path.extname(uploadName))), file.delete(file.appendToFileName(finalPath, '-resized')),
]); ]);
await db.sortedSetRemove('uid:' + uid + ':uploads', uploadName); await db.sortedSetRemove('uid:' + uid + ':uploads', uploadName);
}; };

21
test/uploads.js
Unescape Escape View File

@ -48,9 +48,12 @@ describe('Upload Controllers', function () {
cid = results.category.cid; cid = results.category.cid;
topics.post({ uid: adminUid, title: 'test topic title', content: 'test topic content', cid: results.category.cid }, function (err, result) { topics.post({ uid: adminUid, title: 'test topic title', content: 'test topic content', cid: results.category.cid }, function (err, result) {
if (err) {
return done(err);
}
tid = result.topicData.tid; tid = result.topicData.tid;
pid = result.postData.pid; pid = result.postData.pid;
done(err); groups.join('administrators', adminUid, done);
}); });
}); });
}); });
@ -107,6 +110,20 @@ describe('Upload Controllers', function () {
}); });
}); });
it('should not allow deleting if path is not correct', function (done) {
socketUser.deleteUpload({ uid: adminUid }, { uid: regularUid, name: '../../bkconfig.json' }, function (err) {
assert.equal(err.message, '[[error:invalid-path]]');
done();
});
});
it('should not allow deleting if path is not correct', function (done) {
socketUser.deleteUpload({ uid: adminUid }, { uid: regularUid, name: '/files/../../bkconfig.json' }, function (err) {
assert.equal(err.message, '[[error:invalid-path]]');
done();
});
});
it('should resize and upload an image to a post', function (done) { it('should resize and upload an image to a post', function (done) {
var oldValue = meta.config.resizeImageWidth; var oldValue = meta.config.resizeImageWidth;
meta.config.resizeImageWidth = 10; meta.config.resizeImageWidth = 10;
@ -288,7 +305,7 @@ describe('Upload Controllers', function () {
assert.ifError(err); assert.ifError(err);
jar = _jar; jar = _jar;
csrf_token = _csrf_token; csrf_token = _csrf_token;
groups.join('administrators', adminUid, done); done();
}); });
}); });

Write Preview
Loading…
Cancel
Save