jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Properly escape the filename when uploading files

Browse Source 
tested with filename:
Fancy - +!"#$&'\''()*+,:;=?@ - Filename

(in the e2e repo)
This commit is contained in:
Girish Ramakrishnan
2019-03-04 11:54:48 -08:00
parent f3189f72fd
commit be92d3a0bc
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/apps.js
View File

@@ -1457,7 +1457,12 @@ function uploadFile(appId, sourceFilePath, destFilePath, callback) {
assert.strictEqual(typeof destFilePath, 'string');
assert.strictEqual(typeof callback, 'function');
exec(appId, { cmd: [ 'bash', '-c', 'cat - > ' + destFilePath ], tty: false }, function (error, stream) {
// the built-in bash printf understands "%q" but not /usr/bin/printf.
// ' gets replaced with '\'' . the first closes the quote and last one starts a new one
const escapedDestFilePath = safe.child_process.execSync(`printf %q '${destFilePath.replace(/'/g, '\'\\\'\'')}'`, { shell: '/bin/bash', encoding: 'utf8' });
debug(`uploadFile: ${sourceFilePath} -> ${escapedDestFilePath}`);
exec(appId, { cmd: [ 'bash', '-c', `cat - > ${escapedDestFilePath}` ], tty: false }, function (error, stream) {
if (error) return callback(error);
var readFile = fs.createReadStream(sourceFilePath);