Sanitize filenames when uploading

author: tusooa <tusooa@kazv.moe> 2022-12-29 14:33:46 -0500
committer: tusooa <tusooa@kazv.moe> 2023-03-01 18:40:02 -0500
commit: e4925f813afda5883fd12a48b99b2b12f83678d9 (patch)
tree: c25e2e28cb0cd19638b39d85e549906db87c9acf /lib
parent: 5d34fe1868b152a607b1734b5bbc3e7e43c70f28 (diff)
download: pleroma-e4925f813afda5883fd12a48b99b2b12f83678d9.tar.gz
pleroma-e4925f813afda5883fd12a48b99b2b12f83678d9.zip
1 files changed, 10 insertions, 1 deletions
diff --git a/lib/pleroma/web/activity_pub/activity_pub.ex b/lib/pleroma/web/activity_pub/activity_pub.ex
index b9206b4da..1ab2db94a 100644
--- a/lib/pleroma/web/activity_pub/activity_pub.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub.ex
@@ -1453,13 +1453,22 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
 
   @spec upload(Upload.source(), keyword()) :: {:ok, Object.t()} | {:error, any()}
   def upload(file, opts \\ []) do
-    with {:ok, data} <- Upload.store(file, opts) do
+    with {:ok, data} <- Upload.store(sanitize_upload_file(file), opts) do
       obj_data = Maps.put_if_present(data, "actor", opts[:actor])
 
       Repo.insert(%Object{data: obj_data})
     end
   end
 
+  defp sanitize_upload_file(%Plug.Upload{filename: filename} = upload) when is_binary(filename) do
+    %Plug.Upload{
+      upload
+      | filename: Path.basename(filename)
+    }
+  end
+
+  defp sanitize_upload_file(upload), do: upload
+
   @spec get_actor_url(any()) :: binary() | nil
   defp get_actor_url(url) when is_binary(url), do: url
   defp get_actor_url(%{"href" => href}) when is_binary(href), do: href
author	tusooa <tusooa@kazv.moe>	2022-12-29 14:33:46 -0500
committer	tusooa <tusooa@kazv.moe>	2023-03-01 18:40:02 -0500
commit	e4925f813afda5883fd12a48b99b2b12f83678d9 (patch)
tree	c25e2e28cb0cd19638b39d85e549906db87c9acf /lib
parent	5d34fe1868b152a607b1734b5bbc3e7e43c70f28 (diff)
download	pleroma-e4925f813afda5883fd12a48b99b2b12f83678d9.tar.gz pleroma-e4925f813afda5883fd12a48b99b2b12f83678d9.zip