cleanup uploaded file names

LibreCat · May 20, 2019 · ee68444 · ee68444
1 parent bbe73c6
commit ee68444
Showing 1 changed file with 9 additions and 6 deletions.
diff --git a/lib/LibreCat/App/Catalogue/Controller/File.pm b/lib/LibreCat/App/Catalogue/Controller/File.pm
@@ -70,15 +70,11 @@ sub upload_temp_file {
     my $now          = timestamp;
     my $tempid       = Data::Uniqid::uniqid;
     my $temp_file    = $file->{tempname};
-    my $file_name    = $file->{filename};
+    my $file_name    = _cleanup_filename($file->{filename});
     my $file_size    = int($file->{size});
     my $content_type = $file->{headers}->{"Content-Type"};
     my $rac_email    = $file->{rac_email} // '';
 
-    # sanitize file name
-    $file_name = as_utf8($file_name);
-    $file_name =~ s/[^\w_\-\.]+/_/g;
-
     h->log->info(
         "upload: $file_name ($content_type: $file_size bytes) by $creator");
 
@@ -186,7 +182,7 @@ sub handle_file {
 
         # If we have a tempid, then there is a file upload waiting...
         if ($fi->{tempid} && $fi->{tempid} =~ /^\S+/) {
-            my $filename = $fi->{file_name};
+            my $filename = $fi->{file_name} = _cleanup_filename($fi->{file_name});
             my $path     = Dancer::FileUtils::path(
                                 h->config->{filestore}->{tmp_dir},
                                 $fi->{tempid},
@@ -577,4 +573,11 @@ sub _find_deleted_files {
     return @filtered_files;
 }
 
+sub _cleanup_filename {
+    my ($filename) = @_;
+    $filename = as_utf8($filename);
+    $filename =~ s/[^\w_\-\.]+/_/g;
+    $filename;
+}
+
 1;