Closed longregen closed 12 months ago
Something like this is a preferable approach to me
diff --git a/matrix_commander/matrix_commander.py b/matrix_commander/matrix_commander.py
index 489f3e0..3634c7a 100755
--- a/matrix_commander/matrix_commander.py
+++ b/matrix_commander/matrix_commander.py
@@ -723,7 +723,7 @@ class Callbacks(object):
else:
media_data = resp.body
filename = choose_available_filename(
- os.path.join(gs.pa.download_media, event.body)
+ os.path.join(gs.pa.download_media, event.event_id)
)
async with aiofiles.open(filename, "wb") as f:
await f.write(media_data)
@@ -753,7 +753,7 @@ class Callbacks(object):
else:
media_data = resp.body
filename = choose_available_filename(
- os.path.join(gs.pa.download_media, event.body)
+ os.path.join(gs.pa.download_media, event.event_id)
)
async with aiofiles.open(filename, "wb") as f:
await f.write(
Done, see PR 25845fb
Use option --download-media-name eventid
and test it.
This input should not be trusted and it's a possible source of path traversal problems. I received a message with a "/" in the filename and the download just failed silently from
--listen --download-media
.Rather than: https://github.com/8go/matrix-commander/blame/026450f111d8600fe4cec29ba62ad17112a0d545/matrix_commander/matrix_commander.py#L468
Why not just use the ID of the message? AFAIK, messages can't have more than one attachment -- if they do, we can use "choose_next_available_filename_with_whatever_strategy", but this default is a real pain. I can provide an alternative but I would try to keep it simple.