mirror of
https://github.com/NodeBB/NodeBB.git
synced 2026-02-21 05:57:43 +01:00
fix: only allow png/jpg/bmp in cover/profile images
This commit is contained in:
Barış Soner Uşaklı
@@ -8,6 +8,7 @@ const image = require('../image');
|
||||
const meta = require('../meta');
|
||||
|
||||
module.exports = function (User) {
|
||||
const allowedTypes = ['image/png', 'image/jpeg', 'image/bmp'];
|
||||
User.updateCoverPosition = async function (uid, position) {
|
||||
// Reject anything that isn't two percentages
|
||||
if (!/^[\d.]+%\s[\d.]+%$/.test(position)) {
|
||||
@@ -29,27 +30,12 @@ module.exports = function (User) {
|
||||
return await User.updateCoverPosition(data.uid, data.position);
|
||||
}
|
||||
|
||||
if (!data.imageData && !data.file) {
|
||||
throw new Error('[[error:invalid-data]]');
|
||||
}
|
||||
const size = data.file ? data.file.size : image.sizeFromBase64(data.imageData);
|
||||
if (size > meta.config.maximumCoverImageSize * 1024) {
|
||||
throw new Error('[[error:file-too-big, ' + meta.config.maximumCoverImageSize + ']]');
|
||||
}
|
||||
validateUpload(data, meta.config.maximumCoverImageSize);
|
||||
|
||||
if (data.file) {
|
||||
picture.path = data.file.path;
|
||||
} else {
|
||||
picture.path = await image.writeImageDataToTempFile(data.imageData);
|
||||
}
|
||||
picture.path = await getTempPath(data);
|
||||
|
||||
const type = data.file ? data.file.type : image.mimeFromBase64(data.imageData);
|
||||
if (!type || !type.match(/^image./)) {
|
||||
throw new Error('[[error:invalid-image]]');
|
||||
}
|
||||
|
||||
const extension = file.typeToExtension(type);
|
||||
const filename = generateProfileImageFilename(data.uid, 'profilecover', extension);
|
||||
const extension = file.typeToExtension(getMimeType(data));
|
||||
const filename = data.uid + '-profilecover' + extension;
|
||||
const uploadData = await image.uploadImage(filename, 'profile', picture);
|
||||
|
||||
await User.setUserField(data.uid, 'cover:url', uploadData.url);
|
||||
@@ -77,31 +63,14 @@ module.exports = function (User) {
|
||||
throw new Error('[[error:profile-image-uploads-disabled]]');
|
||||
}
|
||||
|
||||
if (!data.imageData && !data.file) {
|
||||
throw new Error('[[error:invalid-data]]');
|
||||
}
|
||||
validateUpload(data, meta.config.maximumProfileImageSize);
|
||||
|
||||
const size = data.file ? data.file.size : image.sizeFromBase64(data.imageData);
|
||||
const uploadSize = meta.config.maximumProfileImageSize;
|
||||
if (size > uploadSize * 1024) {
|
||||
throw new Error('[[error:file-too-big, ' + uploadSize + ']]');
|
||||
}
|
||||
|
||||
const type = data.file ? data.file.type : image.mimeFromBase64(data.imageData);
|
||||
if (!type || !type.match(/^image./)) {
|
||||
throw new Error('[[error:invalid-image]]');
|
||||
}
|
||||
const extension = file.typeToExtension(type);
|
||||
const extension = file.typeToExtension(getMimeType(data));
|
||||
if (!extension) {
|
||||
throw new Error('[[error:invalid-image-extension]]');
|
||||
}
|
||||
|
||||
if (data.file) {
|
||||
picture.path = data.file.path;
|
||||
} else {
|
||||
picture.path = await image.writeImageDataToTempFile(data.imageData);
|
||||
}
|
||||
|
||||
picture.path = await getTempPath(data);
|
||||
picture.path = await convertToPNG(picture.path, extension);
|
||||
|
||||
await image.resizeImage({
|
||||
@@ -110,7 +79,7 @@ module.exports = function (User) {
|
||||
height: meta.config.profileImageDimension,
|
||||
});
|
||||
|
||||
const filename = generateProfileImageFilename(data.uid, 'profileavatar', extension);
|
||||
const filename = generateProfileImageFilename(data.uid, extension);
|
||||
const uploadedImage = await image.uploadImage(filename, 'profile', picture);
|
||||
|
||||
await User.setUserFields(data.uid, {
|
||||
@@ -123,6 +92,32 @@ module.exports = function (User) {
|
||||
}
|
||||
};
|
||||
|
||||
function validateUpload(data, maxSize) {
|
||||
if (!data.imageData && !data.file) {
|
||||
throw new Error('[[error:invalid-data]]');
|
||||
}
|
||||
const size = data.file ? data.file.size : image.sizeFromBase64(data.imageData);
|
||||
if (size > maxSize * 1024) {
|
||||
throw new Error('[[error:file-too-big, ' + maxSize + ']]');
|
||||
}
|
||||
|
||||
const type = getMimeType(data);
|
||||
if (!type || !allowedTypes.includes(type)) {
|
||||
throw new Error('[[error:invalid-image]]');
|
||||
}
|
||||
}
|
||||
|
||||
function getMimeType(data) {
|
||||
return data.file ? data.file.type : image.mimeFromBase64(data.imageData);
|
||||
}
|
||||
|
||||
async function getTempPath(data) {
|
||||
if (data.file) {
|
||||
return data.file.path;
|
||||
}
|
||||
return await image.writeImageDataToTempFile(data.imageData);
|
||||
}
|
||||
|
||||
async function convertToPNG(path, extension) {
|
||||
const convertToPNG = meta.config['profile:convertProfileImageToPNG'] === 1;
|
||||
if (!convertToPNG) {
|
||||
@@ -133,10 +128,10 @@ module.exports = function (User) {
|
||||
return newPath;
|
||||
}
|
||||
|
||||
function generateProfileImageFilename(uid, type, extension) {
|
||||
function generateProfileImageFilename(uid, extension) {
|
||||
const keepAllVersions = meta.config['profile:keepAllUserImages'] === 1;
|
||||
const convertToPNG = meta.config['profile:convertProfileImageToPNG'] === 1;
|
||||
return uid + '-' + type + (keepAllVersions ? '-' + Date.now() : '') + (convertToPNG ? '.png' : extension);
|
||||
return uid + '-profileavatar' + (keepAllVersions ? '-' + Date.now() : '') + (convertToPNG ? '.png' : extension);
|
||||
}
|
||||
|
||||
User.removeCoverPicture = async function (data) {
|
||||
|
||||
Reference in New Issue
Block a user