github-mirrors/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-04-23 13:37:09 -04:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #5083 from VidVidex/master

Browse source 
Fix downloading attachments with unusual filenames [WIP]
This commit is contained in:
Lauri Ojansivu 2023-08-16 20:30:43 +03:00 committed by GitHub
commit 8a1c2e8860
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

9
client/components/cards/attachments.js
View file

@ -292,13 +292,16 @@ Template.cardAttachmentsPopup.events({
let uploads = [];
for (const file of files) {
const fileId = new ObjectID().toString();
// If filename is not same as sanitized filename, has XSS, then cancel upload
if (file.name !== DOMPurify.sanitize(file.name)) {
return false;
const fileName = DOMPurify.sanitize(file.name);
if (fileName !== file.name) {
console.warn('Detected possible XSS in file: ', file.name + '. Renamed to: ', fileName + '.');
}
const config = {
file: file,
fileId: fileId,
fileName: fileName,
meta: Utils.getCommonAttachmentMetaFrom(card),
chunkSize: 'dynamic',
};