upload-server safeName

[HenryTi]

hi,
maybe it's is an issue:

FileInfo.prototype.safeName = function () {
// Prevent directory traversal and creating hidden system files:
this.name = path.basename(this.name).replace(/^.+/, '');
// Prevent overwriting existing files:
while (_existsSync(options.uploadDir + '/' + this.name)) {
this.name = this.name.replace(nameCountRegexp, nameCountFunc);
}
};

The options.uploadDir should be options.getDirectory() ?

For example, img.png is in /dir1, when another img.png uploaded, there will be error throw out. Am I right?

Thank you, I like your this upload package.

• Henry

[HenryTi]

I build a subdirectory for each user, so when the user uploads same image again, it will override last uploaded image.

[tomitrescak]

Henry, it's definitelly a bug. Would you be keen in doing the pull request? I'm extremely busy these days. Thanks!

[HenryTi]

Hi,

I don’t know what is "pull request".

I carefully checked the code, the following can fix the code.

1. remove FileInfo.safeName function
2. add a new function:
   function getSafeName(fileName) {
   var n = fileName;
   // Prevent directory traversal and creating hidden system files:
   n = path.basename(n).replace(/^.+/, '');
   // Prevent overwriting existing files:
   while (_existsSync(options.uploadDir + '/' + n)) {
   n = n.replace(nameCountRegexp, nameCountFunc);
   }
   return n;
   }
3. add a code in upload_server.js after line 429
   newFileName = getSafeName(newFileName);
4. ok

• Henry

On May 28, 2015, at 7:06 PM, Tomas Trescak notifications@github.com wrote:

Henry, it's definitelly a bug. Would you be keen in doing the pull request? I'm extremely busy these days. Thanks!

—
Reply to this email directly or view it on GitHub #8 (comment).