closes #5484

8 years ago · e63559b6fd
parent b8c606cbbd
commit e63559b6fd
5 changed files with 28 additions and 11 deletions
--- a/install/data/defaults.json
+++ b/install/data/defaults.json
@ -17,6 +17,7 @@
    "allowLocalLogin": 1,
    "allowAccountDelete": 1,
    "allowFileUploads": 0,
    "allowedFileExtensions": "png,jpg,bmp",
    "allowUserHomePage": 1,
    "maximumFileSize": 2048,
    "minimumTitleLength": 3,
--- a/package.json
+++ b/package.json
@ -54,7 +54,7 @@
    "morgan": "^1.3.2",
    "mousetrap": "^1.5.3",
    "nconf": "~0.8.2",
-    "nodebb-plugin-composer-default": "4.4.4",
+    "nodebb-plugin-composer-default": "4.4.6",
    "nodebb-plugin-dbsearch": "2.0.2",
    "nodebb-plugin-emoji-extended": "1.1.1",
    "nodebb-plugin-emoji-one": "1.1.5",
--- a/src/controllers/uploads.js
+++ b/src/controllers/uploads.js
@ -33,7 +33,7 @@ uploadsController.upload = function (req, res, filesIterator) {
 			return res.status(500).json({ path: req.path, error: err.message });
 		}
-		res.status(200).send(images);
+		res.status(200).json(images);
 	});
 };
@ -208,20 +208,18 @@ uploadsController.uploadFile = function (uid, uploadedFile, callback) {
 		return callback(new Error('[[error:file-too-big, ' + meta.config.maximumFileSize + ']]'));
 	}
-	if (meta.config.hasOwnProperty('allowedFileExtensions')) {
+	var allowed = file.allowedExtensions();
-		var allowed = file.allowedExtensions();
+	var extension = path.extname(uploadedFile.name);
-		var extension = file.typeToExtension(uploadedFile.type);
+	if (!extension || extension === '.' || (allowed.length > 0 && allowed.indexOf(extension) === -1)) {
-		if (!extension || (allowed.length > 0 && allowed.indexOf(extension) === -1)) {
+		return callback(new Error('[[error:invalid-file-type, ' + allowed.join('&#44; ') + ']]'));
 			return callback(new Error('[[error:invalid-file-type, ' + allowed.join('&#44; ') + ']]'));
 		}
 	}
 	saveFileToLocal(uploadedFile, callback);
 };
 function saveFileToLocal(uploadedFile, callback) {
-	var extension = file.typeToExtension(uploadedFile.type);
+	var extension = path.extname(uploadedFile.name);
-	if (!extension) {
+	if (!extension || extension === '.') {
 		return callback(new Error('[[error:invalid-extension]]'));
 	}
 	var filename = uploadedFile.name || 'upload';
--- a/src/upgrade.js
+++ b/src/upgrade.js
@ -51,7 +51,7 @@ var Upgrade = {
 		},
 		{
 			version: 'develop',	// rename this to whatever the next NodeBB version is (breaking)
-			upgrades: ['flags_refactor', 'post_votes_zset', 'moderation_history_refactor'],
+			upgrades: ['flags_refactor', 'post_votes_zset', 'moderation_history_refactor', 'allowed_file_extensions'],
 		},
 	],
 };
--- a/src/upgrades/1.5.0/allowed_file_extensions.js
+++ b/src/upgrades/1.5.0/allowed_file_extensions.js
@ -0,0 +1,18 @@
 /* jslint node: true */
 'use strict';
 var db = require('../../database');
 module.exports = {
 	name: 'Set default allowed file extensions',
 	timestamp: Date.UTC(2017, 3, 14),
 	method: function (callback) {
 		db.getObjectField('config', 'allowedFileExtensions', function (err, value) {
 			if (err || value) {
 				return callback(err);
 			}
 			db.setObjectField('config', 'allowedFileExtensions', 'png,jpg,bmp', callback);
 		});
 	},
 };