From 1432ec36e9edf2321b46217e5bb178980764dd1f Mon Sep 17 00:00:00 2001
From: Steve Manuel <nilslice@gmail.com>
Date: Mon, 20 Mar 2017 21:55:58 -0700
Subject: adding filename normalization and sanitization for file uploads

---
 system/admin/upload/upload.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'system/admin')

diff --git a/system/admin/upload/upload.go b/system/admin/upload/upload.go
index 6b99dfc..cab3bb7 100644
--- a/system/admin/upload/upload.go
+++ b/system/admin/upload/upload.go
@@ -8,6 +8,8 @@ import (
 	"path/filepath"
 	"strconv"
 	"time"
+
+	"github.com/ponzu-cms/ponzu/system/item"
 )
 
 // StoreFiles stores file uploads at paths like /YYYY/MM/filename.ext
@@ -50,7 +52,11 @@ func StoreFiles(req *http.Request) (map[string]string, error) {
 
 	// loop over all files and save them to disk
 	for name, fds := range req.MultipartForm.File {
-		filename := fds[0].Filename
+		filename, err := item.NormalizeString(fds[0].Filename)
+		if err != nil {
+			return nil, err
+		}
+
 		src, err := fds[0].Open()
 		if err != nil {
 			err := fmt.Errorf("Couldn't open uploaded file: %s", err)
-- 
cgit v1.2.3