Sanitize media upload filenames. Closes #397.

cmd/media.go

@@ -51,7 +51,7 @@ func handleUploadMedia(c echo.Context) error {
 	}
 
 	// Generate filename
-	fName := generateFileName(file.Filename)
+	fName := makeFilename(file.Filename)
 
 	// Read file contents in memory
 	src, err := file.Open()

cmd/utils.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"crypto/rand"
 	"fmt"
+	"path/filepath"
 	"regexp"
 	"strconv"
 	"strings"
@@ -25,13 +26,13 @@ func inArray(val string, vals []string) (ok bool) {
 	return false
 }
 
-// generateFileName appends the incoming file's name with a small random hash.
-func generateFileName(fName string) string {
+// makeFilename sanitizes a filename (user supplied upload filenames).
+func makeFilename(fName string) string {
 	name := strings.TrimSpace(fName)
 	if name == "" {
 		name, _ = generateRandomString(10)
 	}
-	return name
+	return filepath.Base(name)
 }
 
 // Given an error, pqErrMsg will try to return pq error details

internal/media/providers/filesystem/filesystem.go

@@ -8,7 +8,6 @@ import (
 	"path/filepath"
 	"regexp"
 	"strconv"
-	"strings"
 
 	"github.com/knadh/listmonk/internal/media"
 )
@@ -43,13 +42,7 @@ func NewDiskStore(opts Opts) (media.Store, error) {
 // Put accepts the filename, the content type and file object itself and stores the file in disk.
 func (c *Client) Put(filename string, cType string, src io.ReadSeeker) (string, error) {
 	var out *os.File
-	// There's no explicit name. Use the one posted in the HTTP request.
-	if filename == "" {
-		filename = strings.TrimSpace(filename)
-		if filename == "" {
-			filename, _ = generateRandomString(10)
-		}
-	}
+
 	// Get the directory path
 	dir := getDir(c.opts.UploadPath)
 	filename = assertUniqueFilename(dir, filename)