Sanitize snippet file name in raw headers

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Sanitize snippet file name in raw headers
118bd717 · Dmitriy Zaporozhets · f28a12a5 · 118bd717 · 118bd717 · 118bd717
Unverified Commit 118bd717 authored 10 years ago by Dmitriy Zaporozhets
--- a/app/controllers/projects/snippets_controller.rb
+++ b/app/controllers/projects/snippets_controller.rb
@@ -68,7 +68,7 @@ class Projects::SnippetsController < Projects::ApplicationController
      @snippet.content,
      type: 'text/plain; charset=utf-8',
      disposition: 'inline',
-      filename: @snippet.file_name
+      filename: @snippet.sanitized_file_name
    )
  end
  

--- a/app/controllers/snippets_controller.rb
+++ b/app/controllers/snippets_controller.rb
@@ -79,7 +79,7 @@ class SnippetsController < ApplicationController
      @snippet.content,
      type: 'text/plain; charset=utf-8',
      disposition: 'inline',
-      filename: @snippet.file_name
+      filename: @snippet.sanitized_file_name
    )
  end
  

--- a/app/models/snippet.rb
+++ b/app/models/snippet.rb
@@ -64,6 +64,10 @@ class Snippet < ActiveRecord::Base
    file_name
  end
  
+  def sanitized_file_name
+    file_name.gsub(/[^a-zA-Z0-9_\-\.]+/, '')
+  end
+
  def mode
    nil
  end