github-mirrors/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-04-24 05:57:13 -04:00
Code Issues Projects Releases Packages Wiki Activity

use beforeWrite method of CollectionFS instead of collection-hooks

Browse source
This commit is contained in:
Ghassen Rjab 2017-08-31 22:02:11 +01:00
parent ddc21046b9
commit ad09630d4e
1 changed files with 18 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

36
models/attachments.js
View file

@ -3,7 +3,24 @@ Attachments = new FS.Collection('attachments', {
// XXX Add a new store for cover thumbnails so we don't load big images in
// the general board view
new FS.Store.GridFS('attachments'),
new FS.Store.GridFS('attachments', {
// If the uploaded document is not an image we need to enforce browser
// download instead of execution. This is particularly important for HTML
// files that the browser will just execute if we don't serve them with the
// appropriate `application/octet-stream` MIME header which can lead to user
// data leaks. I imagine other formats (like PDF) can also be attack vectors.
// See https://github.com/wekan/wekan/issues/99
// XXX Should we use `beforeWrite` option of CollectionFS instead of
// collection-hooks?
// We should use `beforeWrite`.
beforeWrite: (fileObj) => {
if (!fileObj.isImage()) {
return {
type: 'application/octet-stream'
};
}
},
}),
],
});
@ -36,23 +53,6 @@ if (Meteor.isServer) {
// XXX Enforce a schema for the Attachments CollectionFS
Attachments.files.before.insert((userId, doc) => {
const file = new FS.File(doc);
doc.userId = userId;
// If the uploaded document is not an image we need to enforce browser
// download instead of execution. This is particularly important for HTML
// files that the browser will just execute if we don't serve them with the
// appropriate `application/octet-stream` MIME header which can lead to user
// data leaks. I imagine other formats (like PDF) can also be attack vectors.
// See https://github.com/wekan/wekan/issues/99
// XXX Should we use `beforeWrite` option of CollectionFS instead of
// collection-hooks?
if (!file.isImage()) {
file.original.type = 'application/octet-stream';
}
});
if (Meteor.isServer) {
Attachments.files.after.insert((userId, doc) => {
Activities.insert({