adding filename normalization and sanitization for file uploads

author: Steve Manuel <nilslice@gmail.com> 2017-03-20 21:55:58 -0700
committer: Steve Manuel <nilslice@gmail.com> 2017-03-20 21:55:58 -0700
commit: 1432ec36e9edf2321b46217e5bb178980764dd1f (patch)
tree: b9e6ab1e734296f3e277b8076421c0715a7af54a /system/admin/upload/upload.go
parent: f84b665159bb28206bed39170f8947a6b52650c2 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/system/admin/upload/upload.go b/system/admin/upload/upload.go
index 6b99dfc..cab3bb7 100644
--- a/system/admin/upload/upload.go
+++ b/system/admin/upload/upload.go
@@ -8,6 +8,8 @@ import (
 	"path/filepath"
 	"strconv"
 	"time"
+
+	"github.com/ponzu-cms/ponzu/system/item"
 )
 
 // StoreFiles stores file uploads at paths like /YYYY/MM/filename.ext
@@ -50,7 +52,11 @@ func StoreFiles(req *http.Request) (map[string]string, error) {
 
 	// loop over all files and save them to disk
 	for name, fds := range req.MultipartForm.File {
-		filename := fds[0].Filename
+		filename, err := item.NormalizeString(fds[0].Filename)
+		if err != nil {
+			return nil, err
+		}
+
 		src, err := fds[0].Open()
 		if err != nil {
 			err := fmt.Errorf("Couldn't open uploaded file: %s", err)
author	Steve Manuel <nilslice@gmail.com>	2017-03-20 21:55:58 -0700
committer	Steve Manuel <nilslice@gmail.com>	2017-03-20 21:55:58 -0700
commit	1432ec36e9edf2321b46217e5bb178980764dd1f (patch)
tree	b9e6ab1e734296f3e277b8076421c0715a7af54a /system/admin/upload/upload.go
parent	f84b665159bb28206bed39170f8947a6b52650c2 (diff)