Sanitize snippet file name in raw headers

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2014-12-12 13:28:48 +02:00 · 2014-12-12 13:28:48 +02:00 · 118bd7178b
parent f28a12a559
commit 118bd7178b
3 changed files with 6 additions and 2 deletions
--- a/app/controllers/projects/snippets_controller.rb
+++ b/app/controllers/projects/snippets_controller.rb
@ -68,7 +68,7 @@ class Projects::SnippetsController < Projects::ApplicationController
      @snippet.content,
      type: 'text/plain; charset=utf-8',
      disposition: 'inline',
-      filename: @snippet.file_name
+      filename: @snippet.sanitized_file_name
    )
  end

--- a/app/controllers/snippets_controller.rb
+++ b/app/controllers/snippets_controller.rb
@ -79,7 +79,7 @@ class SnippetsController < ApplicationController
      @snippet.content,
      type: 'text/plain; charset=utf-8',
      disposition: 'inline',
-      filename: @snippet.file_name
+      filename: @snippet.sanitized_file_name
    )
  end

--- a/app/models/snippet.rb
+++ b/app/models/snippet.rb
@ -64,6 +64,10 @@ class Snippet < ActiveRecord::Base
    file_name
  end

+  def sanitized_file_name
+    file_name.gsub(/[^a-zA-Z0-9_\-\.]+/, '')
+  end
+
  def mode
    nil
  end