Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2026-03-03 19:11:22 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: only allow png/jpg/bmp in cover/profile images

Browse Source
This commit is contained in:
Barış Soner Uşaklı
2019-09-21 23:10:49 -04:00
parent 5505628c8d
commit 96ab8d05aa
5 changed files with 76 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/groups/cover.js
View File

@@ -7,6 +7,7 @@ const image = require('../image');
const file = require('../file');
module.exports = function (Groups) {
const allowedTypes = ['image/png', 'image/jpeg', 'image/bmp'];
Groups.updateCoverPosition = async function (groupName, position) {
if (!groupName) {
throw new Error('[[error:invalid-data]]');
@@ -15,15 +16,21 @@ module.exports = function (Groups) {
};
Groups.updateCover = async function (uid, data) {
let tempPath = data.file ? data.file : '';
let tempPath = data.file ? data.file.path : '';
try {
// Position only? That's fine
if (!data.imageData && !data.file && data.position) {
return await Groups.updateCoverPosition(data.groupName, data.position);
}
const type = data.file ? data.file.type : image.mimeFromBase64(data.imageData);
if (!type || !allowedTypes.includes(type)) {
throw new Error('[[error:invalid-image]]');
}
if (!tempPath) {
tempPath = await image.writeImageDataToTempFile(data.imageData);
}
const filename = 'groupCover-' + data.groupName + path.extname(tempPath);
const uploadData = await image.uploadImage(filename, 'files', {
path: tempPath,