From 5dd90fbff3669cf21bee18a20c3d4500c8177feb Mon Sep 17 00:00:00 2001
From: Robert Swain <rob@matrix.org>
Date: Thu, 18 May 2017 18:00:56 +0200
Subject: [PATCH] mediaapi/writers/fileutils: Make note of further file path
 validation todo

---
 .../matrix-org/dendrite/mediaapi/writers/fileutils.go        | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/github.com/matrix-org/dendrite/mediaapi/writers/fileutils.go b/src/github.com/matrix-org/dendrite/mediaapi/writers/fileutils.go
index d931707b0..9a72b378f 100644
--- a/src/github.com/matrix-org/dendrite/mediaapi/writers/fileutils.go
+++ b/src/github.com/matrix-org/dendrite/mediaapi/writers/fileutils.go
@@ -105,6 +105,11 @@ func getPathFromMediaMetadata(m *types.MediaMetadata, absBasePath types.Path) (s
 		fileName,
 	))
 
+	// FIXME:
+	// - validate origin
+	// - sanitize mediaID (e.g. '/' characters and such)
+	// - validate length of origin and mediaID according to common filesystem limitations
+
 	// check if the absolute absBasePath is a prefix of the absolute filePath
 	// if so, no directory escape has occurred and the filePath is valid
 	// Note: absBasePath is already absolute