hyperzlib
/
nodebb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: delete upload

Browse Source
v1.18.x
Barış Soner Uşaklı 5 years ago
parent d74eecfbe8
commit 8c6a7954cf
2 changed files with 23 additions and 6 deletions
Show Stats Download Patch File Download Diff File

8
src/user/uploads.js
Unescape Escape View File

@ -18,14 +18,14 @@ module.exports = function (User) {
throw new Error('[[error:no-privileges]]');
}
if (uploadName.startsWith('.')) {
const finalPath = path.join(nconf.get('upload_path'), uploadName);
if (!finalPath.startsWith(nconf.get('upload_path'))) {
throw new Error('[[error:invalid-path]]');
}
winston.verbose('[user/deleteUpload] Deleting ' + uploadName);
await Promise.all([
file.delete(path.join(nconf.get('upload_path'), uploadName)),
file.delete(path.join(nconf.get('upload_path'), path.dirname(uploadName), path.basename(uploadName, path.extname(uploadName)) + '-resized' + path.extname(uploadName))),
file.delete(finalPath),
file.delete(file.appendToFileName(finalPath, '-resized')),
]);
await db.sortedSetRemove('uid:' + uid + ':uploads', uploadName);
};

21
test/uploads.js
Unescape Escape View File

@ -48,9 +48,12 @@ describe('Upload Controllers', function () {
cid = results.category.cid;
topics.post({ uid: adminUid, title: 'test topic title', content: 'test topic content', cid: results.category.cid }, function (err, result) {
if (err) {
return done(err);
}
tid = result.topicData.tid;
pid = result.postData.pid;
done(err);
groups.join('administrators', adminUid, done);
});
});
});
@ -107,6 +110,20 @@ describe('Upload Controllers', function () {
});
});
it('should not allow deleting if path is not correct', function (done) {
socketUser.deleteUpload({ uid: adminUid }, { uid: regularUid, name: '../../bkconfig.json' }, function (err) {
assert.equal(err.message, '[[error:invalid-path]]');
done();
});
});
it('should not allow deleting if path is not correct', function (done) {
socketUser.deleteUpload({ uid: adminUid }, { uid: regularUid, name: '/files/../../bkconfig.json' }, function (err) {
assert.equal(err.message, '[[error:invalid-path]]');
done();
});
});
it('should resize and upload an image to a post', function (done) {
var oldValue = meta.config.resizeImageWidth;
meta.config.resizeImageWidth = 10;
@ -288,7 +305,7 @@ describe('Upload Controllers', function () {
assert.ifError(err);
jar = _jar;
csrf_token = _csrf_token;
groups.join('administrators', adminUid, done);
done();
});
});

Write Preview
Loading…
Cancel
Save