Merge branch 'site_file_rename'

models/site.rb

@@ -651,6 +651,14 @@ class Site < Sequel::Model
     false
   end
 
+  def self.valid_file_mime_type_and_ext?(mime_type, extname)
+    unless (Site::VALID_MIME_TYPES.include?(mime_type) || mime_type =~ /text/ || mime_type =~ /inode\/x-empty/) &&
+           Site::VALID_EXTENSIONS.include?(extname.sub(/^./, '').downcase)
+      return false
+    end
+    true
+  end
+
   def self.valid_file_type?(uploaded_file)
     mime_type = Magic.guess_file_mime_type uploaded_file[:tempfile].path
     extname = File.extname uploaded_file[:filename]
@@ -660,10 +668,7 @@ class Site < Sequel::Model
     #  extname = uploaded_file[:filename]
     #end
 
-    unless (Site::VALID_MIME_TYPES.include?(mime_type) || mime_type =~ /text/ || mime_type =~ /inode\/x-empty/) &&
-           Site::VALID_EXTENSIONS.include?(extname.sub(/^./, '').downcase)
-      return false
-    end
+    return false unless valid_file_mime_type_and_ext?(mime_type, extname)
 
     # clamdscan doesn't work on travis for testing
     return true if ENV['TRAVIS'] == 'true'
@@ -1162,7 +1167,14 @@ class Site < Sequel::Model
       clean << part if part != '..'
     end
 
-    clean.join '/'
+    clean_path = clean.join '/'
+
+    # Scrub carriage garbage (everything below 32 bytes.. http://www.asciitable.com/)
+    clean_path.each_codepoint do |c|
+      raise ArgumentError, 'invalid character for filename' if c < 32
+    end
+
+    clean_path
   end
 
   def current_files_path(path='')