From bf9049d87d4d34d3a78c1d5c193511957db058e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Mon, 29 Nov 2021 11:04:15 +0100
Subject: [PATCH] misc: add settings to block some extensions (#58982)

---
 fargo/fargo/forms.py |  6 ++++++
 fargo/settings.py    |  3 +++
 tests/test_public.py | 15 +++++++++++++++
 3 files changed, 24 insertions(+)

diff --git a/fargo/fargo/forms.py b/fargo/fargo/forms.py
index 912a9ee..9946691 100644
--- a/fargo/fargo/forms.py
+++ b/fargo/fargo/forms.py
@@ -14,6 +14,8 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import os
+
 from django import forms
 from django.utils.translation import ugettext_lazy as _
 from django.conf import settings
@@ -34,6 +36,10 @@ class UploadForm(forms.ModelForm):
                     _('Uploaded file is too big (limit is %s)')
                     % filesizeformat(settings.FARGO_MAX_DOCUMENT_SIZE)
                 )
+            if settings.FARGO_FORBIDDEN_EXTENSIONS:
+                ext = os.path.splitext(content.name)[-1]
+                if ext in settings.FARGO_FORBIDDEN_EXTENSIONS:
+                    raise forms.ValidationError(_('Uploaded file is not allowed.'))
         return content
 
     def clean(self):
diff --git a/fargo/settings.py b/fargo/settings.py
index 6707c65..d6d616f 100644
--- a/fargo/settings.py
+++ b/fargo/settings.py
@@ -171,6 +171,9 @@ MELLON_IDENTITY_PROVIDERS = []
 
 # Fargo settings
 
+# forbidden files, list of extensions, ex: ['.php', '.exe']
+FARGO_FORBIDDEN_EXTENSIONS = None
+
 FARGO_MAX_DOCUMENT_SIZE = 4 * 1024 * 1024  # 4 Mo
 
 FARGO_MAX_DOCUMENT_BOX_SIZE = 20 * 1024 * 1024  # 20 Mo
diff --git a/tests/test_public.py b/tests/test_public.py
index ca505dc..43ddc8d 100644
--- a/tests/test_public.py
+++ b/tests/test_public.py
@@ -150,3 +150,18 @@ def test_max_documents_per_user(app, private_settings, john_doe):
 
     response = app.get('/upload/')
     assert response.location == '/'
+
+
+def test_forbidden_extension(app, private_settings, john_doe):
+    private_settings.FARGO_FORBIDDEN_EXTENSIONS = ['.txt']
+    login(app, user=john_doe)
+    resp = app.get('/')
+    resp.form['content'] = Upload('monfichier.pdf', b'coin', 'application/pdf')
+    resp = resp.form.submit().follow()
+    assert UserDocument.objects.count() == 1
+
+    resp = app.get('/')
+    resp.form['content'] = Upload('monfichier.txt', b'coin', 'text/plain')
+    resp = resp.form.submit()
+    assert 'Uploaded file is not allowed.' in resp.text
+    assert UserDocument.objects.count() == 1