commit: 7baca3fe4d4b3279236f0004c867bcd2f5bc8849
parent: cbc50016eb3d0a46e76aca9ed199b036ce20abdb
Author: Eugen <eugen@zeonfederated.com>
Date: Thu, 24 Nov 2016 16:27:32 +0100
Merge pull request #242 from TazeTSchnitzel/media_uri_obfuscation
Rename media to avoid exposing filename (fixes #207)
Diffstat:
3 files changed, 23 insertions(+), 0 deletions(-)
diff --git a/app/controllers/api/v1/media_controller.rb b/app/controllers/api/v1/media_controller.rb
@@ -4,6 +4,9 @@ class Api::V1::MediaController < ApiController
before_action -> { doorkeeper_authorize! :write }
before_action :require_user!
+ include ObfuscateFilename
+ obfuscate_filename :file
+
respond_to :json
def create
diff --git a/app/controllers/settings/profiles_controller.rb b/app/controllers/settings/profiles_controller.rb
@@ -6,6 +6,10 @@ class Settings::ProfilesController < ApplicationController
before_action :authenticate_user!
before_action :set_account
+ include ObfuscateFilename
+ obfuscate_filename [:account, :avatar]
+ obfuscate_filename [:account, :header]
+
def show
end
diff --git a/app/models/concerns/obfuscate_filename.rb b/app/models/concerns/obfuscate_filename.rb
@@ -0,0 +1,16 @@
+module ObfuscateFilename
+ extend ActiveSupport::Concern
+
+ class_methods do
+ def obfuscate_filename(*args)
+ before_action { obfuscate_filename(*args) }
+ end
+ end
+
+ def obfuscate_filename(path)
+ file = params.dig(*path)
+ return if file.nil?
+
+ file.original_filename = "media" + File.extname(file.original_filename)
+ end
+end
