whitelist all allowed characters in filenames, see #75

2025-01-20 22:52:46 -05:00 · 2014-06-18 02:01:58 +04:00 · 2014-06-18 02:01:58 +04:00 · 88f3944f5a
commit 88f3944f5a
parent 20524118ef
1 changed files with 2 additions and 1 deletions
--- a/lib/utils.js
+++ b/lib/utils.js
@ -8,9 +8,10 @@ module.exports.validate_name = function(name) {
 	if (typeof(name) !== 'string') return false
 	name = name.toLowerCase()
 	if (
+		// all URL-safe characters and "@" for issue #75
+		!name.match(/^[-a-zA-Z0-9_.!~*'()@]+$/) ||
 		name.charAt(0) === '.' || // ".bin", etc.
 		name.charAt(0) === '-' || // "-" is reserved by couchdb
-		name.match(/[\\\/\s\+%:]/) ||
 		name === 'node_modules' ||
 		name === '__proto__' ||
 		name === 'package.json' ||