Rename media to avoid exposing filename (fixes #207)

app/controllers/api/v1/media_controller.rb

@@ -7,7 +7,10 @@ class Api::V1::MediaController < ApiController
   respond_to :json
 
   def create
-    @media = MediaAttachment.create!(account: current_user.account, file: params[:file])
+    file = params[:file]
+    # Change so Paperclip won't expose the actual filename
+    file.original_filename = "media" + File.extname(file.original_filename)
+    @media = MediaAttachment.create!(account: current_user.account, file: file)
   rescue Paperclip::Errors::NotIdentifiedByImageMagickError
     render json: { error: 'File type of uploaded media could not be verified' }, status: 422
   rescue Paperclip::Error

app/controllers/settings/profiles_controller.rb

@@ -20,7 +20,18 @@ class Settings::ProfilesController < ApplicationController
   private
 
   def account_params
-    params.require(:account).permit(:display_name, :note, :avatar, :header, :silenced)
+    p = params.require(:account).permit(:display_name, :note, :avatar, :header, :silenced)
+    if p[:avatar]
+        avatar = p[:avatar]
+        # Change so Paperclip won't expose the actual filename
+        avatar.original_filename = "media" + File.extname(avatar.original_filename)
+    end
+    if p[:header]
+        header = p[:header]
+        # Change so Paperclip won't expose the actual filename
+        header.original_filename = "media" + File.extname(header.original_filename)
+    end
+    p
   end
 
   def set_account