Unique filenames for tmp files in ghost-busboy

fixes #1843 - uses a timestamp and an md5 hash of the filename for the tmp file instead of the user-provided filename
2024-11-23 22:11:09 +03:00 · 2014-01-04 19:11:05 -08:00 · 2014-01-04 19:11:05 -08:00 · 1640d9bc35
commit 1640d9bc35
parent 68524aca57
1 changed files with 11 additions and 3 deletions
--- a/core/server/middleware/ghost-busboy.js
+++ b/core/server/middleware/ghost-busboy.js
@ -1,7 +1,8 @@
 var BusBoy  = require('busboy'),
    fs      = require('fs-extra'),
    path    = require('path'),
-    os      = require('os');
+    os      = require('os'),
+    crypto  = require('crypto');

 // ### ghostBusboy
 // Process multipart file streams and copies them to a memory stream to be 
@ -23,7 +24,9 @@ function ghostBusBoy(req, res, next) {
    req.body = req.body || {};

    busboy.on('file', function (fieldname, file, filename, encoding, mimetype) {
-        var filePath;
+        var filePath,
+            tmpFileName,
+            md5 = crypto.createHash('md5');

        // If the filename is invalid, mark an error
        if (!filename) {
@ -34,7 +37,12 @@ function ghostBusBoy(req, res, next) {
            return file.emit('end');
        }

-        filePath = path.join(tmpDir, filename || 'temp.tmp');
+        // Create an MD5 hash of original filenae
+        md5.update(filename, 'utf8');
+
+        tmpFileName = +new Date() + md5.digest('base64');
+
+        filePath = path.join(tmpDir, tmpFileName || 'temp.tmp');

        file.on('end', function () {
            req.files[fieldname] = {