From e63559b6fdd49e85274d31c22a8b1feaac748bad Mon Sep 17 00:00:00 2001 From: barisusakli Date: Fri, 14 Apr 2017 12:59:36 -0400 Subject: [PATCH] closes #5484 --- install/data/defaults.json | 1 + package.json | 2 +- src/controllers/uploads.js | 16 +++++++--------- src/upgrade.js | 2 +- src/upgrades/1.5.0/allowed_file_extensions.js | 18 ++++++++++++++++++ 5 files changed, 28 insertions(+), 11 deletions(-) create mode 100644 src/upgrades/1.5.0/allowed_file_extensions.js diff --git a/install/data/defaults.json b/install/data/defaults.json index c471db6b89..25fe659b27 100644 --- a/install/data/defaults.json +++ b/install/data/defaults.json @@ -17,6 +17,7 @@ "allowLocalLogin": 1, "allowAccountDelete": 1, "allowFileUploads": 0, + "allowedFileExtensions": "png,jpg,bmp", "allowUserHomePage": 1, "maximumFileSize": 2048, "minimumTitleLength": 3, diff --git a/package.json b/package.json index 1b3eeff9ef..1286233b99 100644 --- a/package.json +++ b/package.json @@ -54,7 +54,7 @@ "morgan": "^1.3.2", "mousetrap": "^1.5.3", "nconf": "~0.8.2", - "nodebb-plugin-composer-default": "4.4.4", + "nodebb-plugin-composer-default": "4.4.6", "nodebb-plugin-dbsearch": "2.0.2", "nodebb-plugin-emoji-extended": "1.1.1", "nodebb-plugin-emoji-one": "1.1.5", diff --git a/src/controllers/uploads.js b/src/controllers/uploads.js index 82556ee12c..a9768755db 100644 --- a/src/controllers/uploads.js +++ b/src/controllers/uploads.js @@ -33,7 +33,7 @@ uploadsController.upload = function (req, res, filesIterator) { return res.status(500).json({ path: req.path, error: err.message }); } - res.status(200).send(images); + res.status(200).json(images); }); }; @@ -208,20 +208,18 @@ uploadsController.uploadFile = function (uid, uploadedFile, callback) { return callback(new Error('[[error:file-too-big, ' + meta.config.maximumFileSize + ']]')); } - if (meta.config.hasOwnProperty('allowedFileExtensions')) { - var allowed = file.allowedExtensions(); - var extension = file.typeToExtension(uploadedFile.type); - if (!extension || (allowed.length > 0 && allowed.indexOf(extension) === -1)) { - return callback(new Error('[[error:invalid-file-type, ' + allowed.join(', ') + ']]')); - } + var allowed = file.allowedExtensions(); + var extension = path.extname(uploadedFile.name); + if (!extension || extension === '.' || (allowed.length > 0 && allowed.indexOf(extension) === -1)) { + return callback(new Error('[[error:invalid-file-type, ' + allowed.join(', ') + ']]')); } saveFileToLocal(uploadedFile, callback); }; function saveFileToLocal(uploadedFile, callback) { - var extension = file.typeToExtension(uploadedFile.type); - if (!extension) { + var extension = path.extname(uploadedFile.name); + if (!extension || extension === '.') { return callback(new Error('[[error:invalid-extension]]')); } var filename = uploadedFile.name || 'upload'; diff --git a/src/upgrade.js b/src/upgrade.js index 9d0e846256..96a20780cf 100644 --- a/src/upgrade.js +++ b/src/upgrade.js @@ -51,7 +51,7 @@ var Upgrade = { }, { version: 'develop', // rename this to whatever the next NodeBB version is (breaking) - upgrades: ['flags_refactor', 'post_votes_zset', 'moderation_history_refactor'], + upgrades: ['flags_refactor', 'post_votes_zset', 'moderation_history_refactor', 'allowed_file_extensions'], }, ], }; diff --git a/src/upgrades/1.5.0/allowed_file_extensions.js b/src/upgrades/1.5.0/allowed_file_extensions.js new file mode 100644 index 0000000000..158c04ab1d --- /dev/null +++ b/src/upgrades/1.5.0/allowed_file_extensions.js @@ -0,0 +1,18 @@ +/* jslint node: true */ + +'use strict'; + +var db = require('../../database'); + +module.exports = { + name: 'Set default allowed file extensions', + timestamp: Date.UTC(2017, 3, 14), + method: function (callback) { + db.getObjectField('config', 'allowedFileExtensions', function (err, value) { + if (err || value) { + return callback(err); + } + db.setObjectField('config', 'allowedFileExtensions', 'png,jpg,bmp', callback); + }); + }, +};