github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-24 03:36:18 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Add filename validation for backup uploads.

Browse Source
This commit is contained in:
Guo Xiang Tan
2016-09-16 11:56:22 +08:00
parent f63a797e39
commit 512922d776
3 changed files with 31 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
spec/controllers/admin/backups_controller_spec.rb
View File

@ -194,6 +194,35 @@ describe Admin::BackupsController do
end
describe "#upload_backup_chunk" do
describe "when filename contains invalid characters" do
it "should raise an error" do
['灰色.tar.gz', '; echo \'haha\'.tar.gz'].each do |invalid_filename|
xhr :post, :upload_backup_chunk, resumableFilename: invalid_filename, resumableTotalSize: '1'
expect(response.status).to eq(415)
expect(response.body).to eq(I18n.t('backup.invalid_filename'))
end
end
end
describe "when filename is valid" do
it "should upload the file successfully" do
xhr :post, :upload_backup_chunk,
resumableFilename: 'test.tar.gz',
resumableTotalSize: '1',
resumableIdentifier: 'test',
resumableChunkNumber: '1',
resumableChunkSize: '1',
resumableCurrentChunkSize: '1',
file: fixture_file_upload(Tempfile.new)
expect(response.status).to eq(200)
expect(response.body).to eq("")
end
end
end
end
end