From de028e5dd89cf4fa393c365a3e457077a86befc7 Mon Sep 17 00:00:00 2001
From: Pavel Djundik <xPaw@users.noreply.github.com>
Date: Sun, 14 Oct 2018 00:23:32 +0300
Subject: [PATCH 1/2] Force express server to run in production mode

---
 src/server.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/server.js b/src/server.js
index efbf50c0..24afd99e 100644
--- a/src/server.js
+++ b/src/server.js
@@ -46,6 +46,7 @@ module.exports = function() {
 	};
 
 	const app = express()
+		.set("env", "production")
 		.disable("x-powered-by")
 		.use(allRequests)
 		.use(index)

From 1d8a0e639ff796609f59e11e7f3893a66601c5fe Mon Sep 17 00:00:00 2001
From: Pavel Djundik <xPaw@users.noreply.github.com>
Date: Sun, 14 Oct 2018 00:23:41 +0300
Subject: [PATCH 2/2] Encode uploaded file slugs

---
 src/plugins/uploader.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/plugins/uploader.js b/src/plugins/uploader.js
index eb887742..0dff113f 100644
--- a/src/plugins/uploader.js
+++ b/src/plugins/uploader.js
@@ -52,7 +52,7 @@ class Uploader {
 			} while (fs.stat(destPath, (err) => (err ? true : false)));
 
 			fsextra.move(data.file.pathName, destPath).then(() => {
-				const slug = path.basename(data.file.pathName);
+				const slug = encodeURIComponent(path.basename(data.file.pathName));
 				const url = `uploads/${randomName}/${slug}`;
 				socket.emit("upload:success", url);
 			}).catch(() => {