Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added disable rename files #158

Closed
wants to merge 3 commits into from
Closed

Added disable rename files #158

wants to merge 3 commits into from

Conversation

Laboratory
Copy link

request for my issue
#154

set isAutoRename = false for disable rename uploading files

felixge
felixge reviewed Jul 29, 2012
View reviewed changes
lib/incoming_form.js
util.inherits(IncomingForm, EventEmitter);
exports.IncomingForm = IncomingForm;

IncomingForm.UPLOAD_DIR = (function() {
var dirs = [process.env.TMP, '/tmp', process.cwd()];
for (var i = 0; i < dirs.length; i++) {
for (var i = 0, l = dirs.length; i < l; i++) {
var dir = dirs[i];
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

small optimization :)

@felixge
Copy link
Collaborator

felixge commented Jul 29, 2012

A few things:

  • Split unrelated changes (like whitespace) in separate commits
  • Explain your use case
  • Add a test demonstrating that this cannot be exploited (what happens if my file is named '../../my.jpeg'?)

@Laboratory
Copy link
Author

Explain your use case:

When I upload files to the server, such as his name game.apk, after passing through IncomingForm name becomes 666a0d1b2d94b15f82b311193b694abf.apk. And when the user downloads the game on the phone, he always asks: What a strange file name?

if my file is named '../../my.jpeg' and param isAutoRename=true name will be 7a7a7..aa7.jpeg
if isAutoRename=false name will be my.jpeg

I added test in test/unit/test-incoming-form.js. His name is '#_uploadPath with disable rename files (isAutoRename)'

Laboratory
Laboratory reviewed Jul 29, 2012
View reviewed changes
test/unit/test-incoming-form.js
@@ -56,6 +56,17 @@ test('IncomingForm', {
var ext = path.extname(form._uploadPath('super.bar'));
assert.equal(ext, '.bar');
},
'#_uploadPath with disable rename files (isAutoRename)': function() {
var fileName = "sample.txt";
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for example: my.jpeg

@felixge
Copy link
Collaborator

felixge commented Jul 29, 2012

Add a test demonstrating that this cannot be exploited (what happens if my file is named '../../my.jpeg'?)

^-- you have not done that, please add such a test.

@Laboratory
Copy link
Author

added test

@Laboratory Laboratory mentioned this pull request Jul 30, 2012
Closed
@tunnckoCore
Copy link
Member

tunnckoCore commented Nov 28, 2019
edited

Kind of related to #488 (and few others if i remember correctly) which was also closed recently. We will work on some option that is about the file naming, renaming, escaping/sanitize and etc stuff.

Closing this.

@tunnckoCore tunnckoCore mentioned this pull request Mar 20, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Laboratory @felixge @tunnckoCore @mscdex