autonomic-cooperative/hometown
0
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Rename media to avoid exposing filename (fixes #207)

Browse Source
This commit is contained in:
Andrea Faulds
2016-11-23 21:00:00 +00:00
parent 3373ae02de
commit 7161f91313
2 changed files with 16 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/api/v1/media_controller.rb
View File

@ -7,7 +7,10 @@ class Api::V1::MediaController < ApiController
respond_to :json
def create
@media = MediaAttachment.create!(account: current_user.account, file: params[:file])
file = params[:file]
# Change so Paperclip won't expose the actual filename
file.original_filename = "media" + File.extname(file.original_filename)
@media = MediaAttachment.create!(account: current_user.account, file: file)
rescue Paperclip::Errors::NotIdentifiedByImageMagickError
render json: { error: 'File type of uploaded media could not be verified' }, status: 422
rescue Paperclip::Error

13
app/controllers/settings/profiles_controller.rb
View File

@ -20,7 +20,18 @@ class Settings::ProfilesController < ApplicationController
private
def account_params
params.require(:account).permit(:display_name, :note, :avatar, :header, :silenced)
p = params.require(:account).permit(:display_name, :note, :avatar, :header, :silenced)
if p[:avatar]
avatar = p[:avatar]
# Change so Paperclip won't expose the actual filename
avatar.original_filename = "media" + File.extname(avatar.original_filename)
end
if p[:header]
header = p[:header]
# Change so Paperclip won't expose the actual filename
header.original_filename = "media" + File.extname(header.original_filename)
end
p
end
def set_account