Rename media to avoid exposing filename (fixes #207)

This commit is contained in:
Andrea Faulds 2016-11-23 21:00:00 +00:00
parent cda67241d4
commit 66a20701b7
2 changed files with 16 additions and 2 deletions

View file

@ -7,7 +7,10 @@ class Api::V1::MediaController < ApiController
respond_to :json
def create
@media = MediaAttachment.create!(account: current_user.account, file: params[:file])
file = params[:file]
# Change so Paperclip won't expose the actual filename
file.original_filename = "media" + File.extname(file.original_filename)
@media = MediaAttachment.create!(account: current_user.account, file: file)
rescue Paperclip::Errors::NotIdentifiedByImageMagickError
render json: { error: 'File type of uploaded media could not be verified' }, status: 422
rescue Paperclip::Error

View file

@ -20,7 +20,18 @@ class Settings::ProfilesController < ApplicationController
private
def account_params
params.require(:account).permit(:display_name, :note, :avatar, :header, :silenced)
p = params.require(:account).permit(:display_name, :note, :avatar, :header, :silenced)
if p[:avatar]
avatar = p[:avatar]
# Change so Paperclip won't expose the actual filename
avatar.original_filename = "media" + File.extname(avatar.original_filename)
end
if p[:header]
header = p[:header]
# Change so Paperclip won't expose the actual filename
header.original_filename = "media" + File.extname(header.original_filename)
end
p
end
def set_account