Merge pull request #2606 from alexdunae/scrub-invalid-filenames

Remove invalid byte sequences from the sanitized filename

lib/carrierwave/sanitized_file.rb

@@ -291,6 +291,7 @@ module CarrierWave
 
     # Sanitize the filename, to prevent hacking
     def sanitize(name)
+      name = name.scrub
       name = name.tr("\\", "/") # work-around for IE
       name = File.basename(name)
       name = name.gsub(sanitize_regexp,"_")

spec/sanitized_file_spec.rb

@@ -151,6 +151,11 @@ describe CarrierWave::SanitizedFile do
       expect(sanitized_file).to receive(:original_filename).at_least(:once).and_return("ТестоВый Ёжик.jpg")
       expect(sanitized_file.filename).to eq("ТестоВый_Ёжик.jpg")
     end
+
+    it "should remove invalid byte sequences from the filename" do
+      expect(sanitized_file).to receive(:original_filename).at_least(:once).and_return("test\xDD.jpg")
+      expect(sanitized_file.filename).to eq("test_.jpg")
+    end
   end
 
   describe "#filename with an overridden sanitize_regexp" do