safer path handling, safer shortcode handling

2020-03-24 00:12:42 +00:00 · 2020-03-24 00:12:42 +00:00 · cb5a9662b8
parent 0e4cedc350
commit cb5a9662b8
1 changed files with 6 additions and 2 deletions
--- a/steal_emoji_policy.ex
+++ b/steal_emoji_policy.ex
@ -39,7 +39,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicy do
            Logger.debug("HANDLING EMOJO")

            cond do
-              String.contains?(emojo_shortcode, "/") ->
+              !String.match?(emojo_shortcode, ~r/^[[:word:]]+$/) ->
                Logger.error("BAD EMOJO SHORTCODE: #{emojo_shortcode}")

              String.starts_with?(emojo_url, "https://") ->
@ -48,7 +48,11 @@ defmodule Pleroma.Web.ActivityPub.MRF.StealEmojiPolicy do

                  if remote_emojo.status_code == 200 do
                    with {:ok, current_dir} <- File.cwd() do
-                      new_file = current_dir <> "/priv/static/emoji/stolen/" <> emojo_shortcode <> Path.extname(emojo_url)
+                      emojo_uri = URI.parse(emojo_url)
+                      extension = Path.extname(Path.basename(emojo_uri.path))
+                      filename = emojo_shortcode <> extension
+
+                      new_file = Path.join([current_dir, "priv/static/emoji/stolen", filename])

                      {:ok, file} = File.open(new_file, [:write])
                      IO.binwrite(file, remote_emojo.body)