Safer destroy handling

Author: fabien

lib/filehandler.js

@@ -16,6 +16,7 @@ module.exports = function (middleware, options, callback) {
                         ? 'application/json'
                         : 'text/plain'
                 });
+                if (req.method == 'HEAD') return res.send(200);
                 res.json(200, files);
             }
         });

lib/uploadhandler.js

@@ -160,16 +160,22 @@ module.exports = function (options) {
     };
 
     UploadHandler.prototype.destroy = function () {
-        var self = this,
-            fileName = path.basename(decodeURIComponent(this.req.url));
-            
-        fs.unlink(options.uploadDir() + '/' + fileName, function (ex) {
-            _.each(options.imageVersions, function (value, version) {
-                fs.unlink(options.uploadDir() + '/' + version + '/' + fileName);
-            });
-            self.emit('delete', fileName);
-            self.callback(!ex);
-        });
+        var self = this, url = path.join(this.req.app.path() || '/', this.req.url);
+        var uploadUrl = options.uploadUrl();
+        if (url.slice(0, uploadUrl.length) === uploadUrl) {
+            var fileName = path.basename(decodeURIComponent(this.req.url));
+            if (fileName.indexOf('.') != 0) {
+                fs.unlink(options.uploadDir() + '/' + fileName, function (ex) {
+                    _.each(options.imageVersions, function (value, version) {
+                        fs.unlink(options.uploadDir() + '/' + version + '/' + fileName);
+                    });
+                    self.emit('delete', fileName);
+                    self.callback(!ex);
+                });
+            }
+        } else {
+            self.callback(false);
+        }
     };
 
     UploadHandler.prototype.initUrls = function (fileInfo) {