diff options
| author | Ghassen Rjab <rjab.ghassen@gmail.com> | 2017-08-31 22:02:11 +0100 |
|---|---|---|
| committer | Ghassen Rjab <rjab.ghassen@gmail.com> | 2017-08-31 22:02:11 +0100 |
| commit | ad09630d4ef5a759cc975db241c79b6c94c05129 (patch) | |
| tree | 5470fdc5e9d5c20bb1ccb1dfc60fb2a2d8b07a23 /models | |
| parent | ddc21046b9385ac5ce5bbb9a773484fcd056d10c (diff) | |
| download | wekan-ad09630d4ef5a759cc975db241c79b6c94c05129.tar.gz wekan-ad09630d4ef5a759cc975db241c79b6c94c05129.tar.bz2 wekan-ad09630d4ef5a759cc975db241c79b6c94c05129.zip | |
use beforeWrite method of CollectionFS instead of collection-hooks
Diffstat (limited to 'models')
| -rw-r--r-- | models/attachments.js | 36 |
1 files changed, 18 insertions, 18 deletions
diff --git a/models/attachments.js b/models/attachments.js index 1c9878c7..3e5d4437 100644 --- a/models/attachments.js +++ b/models/attachments.js @@ -3,7 +3,24 @@ Attachments = new FS.Collection('attachments', { // XXX Add a new store for cover thumbnails so we don't load big images in // the general board view - new FS.Store.GridFS('attachments'), + new FS.Store.GridFS('attachments', { + // If the uploaded document is not an image we need to enforce browser + // download instead of execution. This is particularly important for HTML + // files that the browser will just execute if we don't serve them with the + // appropriate `application/octet-stream` MIME header which can lead to user + // data leaks. I imagine other formats (like PDF) can also be attack vectors. + // See https://github.com/wekan/wekan/issues/99 + // XXX Should we use `beforeWrite` option of CollectionFS instead of + // collection-hooks? + // We should use `beforeWrite`. + beforeWrite: (fileObj) => { + if (!fileObj.isImage()) { + return { + type: 'application/octet-stream' + }; + } + }, + }), ], }); @@ -36,23 +53,6 @@ if (Meteor.isServer) { // XXX Enforce a schema for the Attachments CollectionFS -Attachments.files.before.insert((userId, doc) => { - const file = new FS.File(doc); - doc.userId = userId; - - // If the uploaded document is not an image we need to enforce browser - // download instead of execution. This is particularly important for HTML - // files that the browser will just execute if we don't serve them with the - // appropriate `application/octet-stream` MIME header which can lead to user - // data leaks. I imagine other formats (like PDF) can also be attack vectors. - // See https://github.com/wekan/wekan/issues/99 - // XXX Should we use `beforeWrite` option of CollectionFS instead of - // collection-hooks? - if (!file.isImage()) { - file.original.type = 'application/octet-stream'; - } -}); - if (Meteor.isServer) { Attachments.files.after.insert((userId, doc) => { Activities.insert({ |