Rename media to avoid exposing filename (fixes #207)

2016-11-23 21:00:00 +00:00 · 2016-11-23 21:00:00 +00:00 · 66a20701b7
commit 66a20701b7
parent cda67241d4
2 changed files with 16 additions and 2 deletions
--- a/app/controllers/api/v1/media_controller.rb
+++ b/app/controllers/api/v1/media_controller.rb
@ -7,7 +7,10 @@ class Api::V1::MediaController < ApiController
  respond_to :json

  def create
-    @media = MediaAttachment.create!(account: current_user.account, file: params[:file])
+    file = params[:file]
+    # Change so Paperclip won't expose the actual filename
+    file.original_filename = "media" + File.extname(file.original_filename)
+    @media = MediaAttachment.create!(account: current_user.account, file: file)
  rescue Paperclip::Errors::NotIdentifiedByImageMagickError
    render json: { error: 'File type of uploaded media could not be verified' }, status: 422
  rescue Paperclip::Error
--- a/app/controllers/settings/profiles_controller.rb
+++ b/app/controllers/settings/profiles_controller.rb
@ -20,7 +20,18 @@ class Settings::ProfilesController < ApplicationController
  private

  def account_params
-    params.require(:account).permit(:display_name, :note, :avatar, :header, :silenced)
+    p = params.require(:account).permit(:display_name, :note, :avatar, :header, :silenced)
+    if p[:avatar]
+        avatar = p[:avatar]
+        # Change so Paperclip won't expose the actual filename
+        avatar.original_filename = "media" + File.extname(avatar.original_filename)
+    end
+    if p[:header]
+        header = p[:header]
+        # Change so Paperclip won't expose the actual filename
+        header.original_filename = "media" + File.extname(header.original_filename)
+    end
+    p
  end

  def set_account