From d1607a387a1eafdef2cdc627cfb87def4274dfeb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9gis=20Hanol?= <regis@hanol.fr>
Date: Tue, 21 Aug 2018 18:11:01 +0200
Subject: [PATCH] FIX: only allow printable characters in uploads filename

---
 lib/upload_creator.rb           | 4 ++--
 spec/lib/upload_creator_spec.rb | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/upload_creator.rb b/lib/upload_creator.rb
index 8065d1e6f8..ea365b18b3 100644
--- a/lib/upload_creator.rb
+++ b/lib/upload_creator.rb
@@ -22,8 +22,8 @@ class UploadCreator
   #  - for_export (boolean)
   def initialize(file, filename, opts = {})
     @file = file
-    @filename = filename || ''
-    @upload = Upload.new(original_filename: filename, filesize: 0)
+    @filename = (filename || "").gsub(/[^[:print:]]/, "")
+    @upload = Upload.new(original_filename: @filename, filesize: 0)
     @opts = opts
   end
 
diff --git a/spec/lib/upload_creator_spec.rb b/spec/lib/upload_creator_spec.rb
index bee9ffad93..614916ec4f 100644
--- a/spec/lib/upload_creator_spec.rb
+++ b/spec/lib/upload_creator_spec.rb
@@ -14,7 +14,7 @@ RSpec.describe UploadCreator do
 
       it 'should store the upload with the right extension' do
         expect do
-          UploadCreator.new(file, filename).create_for(user.id)
+          UploadCreator.new(file, "utf-8\n.txt").create_for(user.id)
         end.to change { Upload.count }.by(1)
 
         upload = Upload.last