Users can upload attachments which cannot be served due to invalid paths
It is possible for a user to upload a media attachment which cannot be served due to the filename containing restricted characters.
How to reproduce
- Upload a file called
:.png
via pleromafe or Mastodon API. - Attempt to access the file in your web browser, receive an error like this instead:
[debug] ** (Plug.Static.InvalidPathError) invalid path for static asset
(plug) lib/plug/static.ex:166: Plug.Static.call/2
(pleroma) lib/pleroma/web/endpoint.ex:1: Pleroma.Web.Endpoint.plug_builder_call/2
(pleroma) lib/plug/debugger.ex:122: Pleroma.Web.Endpoint."call (overridable 3)"/2
(pleroma) lib/pleroma/web/endpoint.ex:1: Pleroma.Web.Endpoint.call/2
(plug) lib/plug/adapters/cowboy/handler.ex:16: Plug.Adapters.Cowboy.Handler.upgrade/4
(cowboy) /home/d/src/pleroma/deps/cowboy/src/cowboy_protocol.erl:442: :cowboy_protocol.execute/4
The file is uploaded, it just won't be served.