hyperzlib
/
nodebb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed two bugs:

Browse Source 
1. filename cannot contain ':' (at least on windows), nodebb crashes with such filename
2. lwip cannot define image type without file extension

Also added image extension check to prevent security issues
v1.18.x
APXEOLOG 10 years ago
parent f2bebb12c6
commit 93b6b6ba5f
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File

6
src/user/picture.js
Unescape Escape View File

@ -90,7 +90,11 @@ module.exports = function(User) {
};
User.uploadFromUrl = function(uid, url, callback) {
var filename = 'uid:' + uid + ':tmp-image';
var extension = url.substring(url.lastIndexOf('.') + 1);
if (['png', 'jpeg', 'jpg', 'gif'].indexOf(extension) == -1) {
return callback('This image type is not allowed');
}
var filename = 'uid_' + uid + '_tmp-image.' + extension;
downloadFromUrl(url, filename, function(err, downloadedImage) {
if (err) {
return callback(err);

Write Preview
Loading…
Cancel
Save