github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 22:43:33 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Add filename validation for backup uploads.

Browse Source
This commit is contained in:
Guo Xiang Tan
2016-09-16 11:56:22 +08:00
parent f63a797e39
commit 512922d776
3 changed files with 31 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
app/controllers/admin/backups_controller.rb
View File

@ -119,6 +119,7 @@ class Admin::BackupsController < Admin::AdminController
return render status: 415, text: I18n.t("backup.backup_file_should_be_tar_gz") unless /\.(tar\.gz|t?gz)$/i =~ filename
return render status: 415, text: I18n.t("backup.not_enough_space_on_disk") unless has_enough_space_on_disk?(total_size)
return render status: 415, text: I18n.t("backup.invalid_filename") unless !!(/^[a-zA-Z0-9\.-_]+$/ =~ filename)
file = params.fetch(:file)
identifier = params.fetch(:resumableIdentifier)