From 5e1b8620651d9e143f03f9b70cd3afe60c581236 Mon Sep 17 00:00:00 2001 From: ayrus Date: Thu, 28 Mar 2013 02:09:38 -0400 Subject: [PATCH] Changed uploadDir to initialize from formData and customized further for PairIDE. --- README.md | 2 + lib/uploadhandler.js | 92 ++++++++++++++++++++++++-------------------- 2 files changed, 53 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 0aaac0a..10d4ebb 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ jquery-file-upload-middleware ============================= +> This module has been mofified and customized to work with [PairIDE](https://github.com/pairide/pairide). Original readme is appended below as is. + jQuery-File-Upload Express.js middleware. Based on the server code of [jQuery-File-Upload](https://github.com/blueimp/jQuery-File-Upload) Installation: diff --git a/lib/uploadhandler.js b/lib/uploadhandler.js index bdab992..6be91a1 100644 --- a/lib/uploadhandler.js +++ b/lib/uploadhandler.js @@ -6,19 +6,41 @@ var EventEmitter = require('events').EventEmitter, mkdirp = require('mkdirp'), _ = require('lodash'); -module.exports = function (options) { +var upload_directory = null; +var FileInfo = null; +var username = null; + +function get_upload_directory(){ + return upload_directory; +} + +function validatePath(relativePath, fileName){ + + relativePath = unescape(relativePath); + fileName = unescape(fileName); - var FileInfo = require('./fileinfo')( - _.extend({ - baseDir: options.uploadDir - }, _.pick(options, 'minFileSize', 'maxFileSize', 'acceptFileTypes')) - ); + var fullPath = relativePath + fileName; + //Check for .. in relative path + var pathReg1 = /.*\.\..*/; + //Check that the fileName doesn't contain / or \ + var pathReg2 = /(.*(\/|\\).*)/; + //Further validation on the name mostly ensures characters are alphanumeric + var pathReg3 = /^([a-zA-Z0-9_ .]|-)*$/; + + return !(pathReg1.exec(relativePath) + || pathReg2.exec(fileName) + || !pathReg3.exec(fileName) + || pathReg1.exec(fullPath)); +} + +module.exports = function (options) { var UploadHandler = function (req, res, callback) { EventEmitter.call(this); this.req = req; this.res = res; this.callback = callback; + username = req.session.user_id; }; require('util').inherits(UploadHandler, EventEmitter); @@ -31,23 +53,6 @@ module.exports = function (options) { }; UploadHandler.prototype.get = function () { - this.noCache(); - var files = []; - fs.readdir(options.uploadDir(), _.bind(function (err, list) { - _.each(list, function (name) { - var stats = fs.statSync(options.uploadDir() + '/' + name), - fileInfo; - if (stats.isFile()) { - fileInfo = new FileInfo({ - name: name, - size: stats.size - }); - this.initUrls(fileInfo); - files.push(fileInfo); - } - }, this); - this.callback(files); - }, this)); }; UploadHandler.prototype.post = function () { @@ -74,6 +79,7 @@ module.exports = function (options) { form.uploadDir = options.tmpDir; form .on('fileBegin', function (name, file) { + console.log("Begin file... "); tmpFiles.push(file.path); var fileInfo = new FileInfo(file); fileInfo.safeName(); @@ -82,6 +88,20 @@ module.exports = function (options) { self.emit('begin', fileInfo); }) .on('field', function (name, value) { + + if(!validatePath(value, "")){ + return; + } + md5h = require('MD5'), + app_dir = require('../../../config').app_dir; + upload_directory = app_dir + '/users/' + md5h(username) + value; + + FileInfo = require('./fileinfo')( + _.extend({ + baseDir: function() { return get_upload_directory(); } + }, _.pick(options, 'minFileSize', 'maxFileSize', 'acceptFileTypes')) + ); + if (name === 'redirect') { redirect = value; } @@ -99,33 +119,33 @@ module.exports = function (options) { if (options.imageTypes.test(fileInfo.name)) { _.each(options.imageVersions, function (value, version) { // creating directory recursive - if (!fs.existsSync(options.uploadDir() + '/' + version + '/')) - mkdirp.sync(options.uploadDir() + '/' + version + '/'); + if (!fs.existsSync(get_upload_directory() + '/' + version + '/')) + mkdirp.sync(get_upload_directory() + '/' + version + '/'); counter++; var opts = options.imageVersions[version]; imageMagick.resize({ width: opts.width, height: opts.height, - srcPath: options.uploadDir() + '/' + fileInfo.name, - dstPath: options.uploadDir() + '/' + version + '/' + fileInfo.name, + srcPath: get_upload_directory() + '/' + fileInfo.name, + dstPath: get_upload_directory() + '/' + version + '/' + fileInfo.name, customArgs: opts.imageArgs || ['-auto-orient'] }, finish); }); } } - if (!fs.existsSync(options.uploadDir() + '/')) - mkdirp.sync(options.uploadDir() + '/'); + if (!fs.existsSync(get_upload_directory() + '/')) + mkdirp.sync(get_upload_directory() + '/'); counter++; - fs.rename(file.path, options.uploadDir() + '/' + fileInfo.name, function (err) { + fs.rename(file.path, get_upload_directory() + '/' + fileInfo.name, function (err) { if (!err) { generatePreviews(); finish(); } else { var is = fs.createReadStream(file.path); - var os = fs.createWriteStream(options.uploadDir() + '/' + fileInfo.name); + var os = fs.createWriteStream(get_upload_directory() + '/' + fileInfo.name); is.on('end', function (err) { if (!err) { fs.unlinkSync(file.path); @@ -157,16 +177,6 @@ module.exports = function (options) { }; UploadHandler.prototype.destroy = function () { - var self = this, - fileName = path.basename(decodeURIComponent(this.req.url)); - - fs.unlink(options.uploadDir() + '/' + fileName, function (ex) { - _.each(options.imageVersions, function (value, version) { - fs.unlink(options.uploadDir() + '/' + version + '/' + fileName); - }); - self.emit('delete', fileName); - self.callback(!ex); - }); }; UploadHandler.prototype.initUrls = function (fileInfo) {