general: blacklist some file types for upload (#6829)
This commit is contained in:
parent
9c5500febf
commit
10bec6f636
|
@ -2981,6 +2981,46 @@ def test_form_file_field_submit_wrong_mimetype(pub):
|
|||
assert resp.text == '%PDF-1.4 ...'
|
||||
|
||||
|
||||
def test_form_file_field_submit_blacklist(pub):
|
||||
formdef = create_formdef()
|
||||
formdef.fields = [fields.FileField(id='0', label='file')]
|
||||
formdef.store()
|
||||
formdef.data_class().wipe()
|
||||
|
||||
# application/x-ms-dos-executable
|
||||
upload = Upload('test.exe', b'MZ...', 'application/force-download')
|
||||
resp = get_app(pub).get('/test/')
|
||||
resp.forms[0]['f0$file'] = upload
|
||||
resp = resp.forms[0].submit('submit')
|
||||
assert 'forbidden file type' in resp.text
|
||||
|
||||
# define custom blacklist
|
||||
pub.load_site_options()
|
||||
if not pub.site_options.has_section('options'):
|
||||
pub.site_options.add_section('options')
|
||||
pub.site_options.set('options', 'blacklisted-file-types', 'application/pdf')
|
||||
with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
|
||||
pub.site_options.write(fd)
|
||||
|
||||
# check against mime type
|
||||
upload = Upload('test.pdf', b'%PDF-1.4 ...', 'application/force-download')
|
||||
resp = get_app(pub).get('/test/')
|
||||
resp.forms[0]['f0$file'] = upload
|
||||
resp = resp.forms[0].submit('submit')
|
||||
assert 'forbidden file type' in resp.text
|
||||
|
||||
# check against extension
|
||||
pub.site_options.set('options', 'blacklisted-file-types', '.pdf')
|
||||
with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
|
||||
pub.site_options.write(fd)
|
||||
|
||||
upload = Upload('test.pdf', b'%PDF-1.4 ...', 'application/force-download')
|
||||
resp = get_app(pub).get('/test/')
|
||||
resp.forms[0]['f0$file'] = upload
|
||||
resp = resp.forms[0].submit('submit')
|
||||
assert 'forbidden file type' in resp.text
|
||||
|
||||
|
||||
def test_form_table_field_submit(pub, emails):
|
||||
formdef = create_formdef()
|
||||
formdef.fields = [fields.TableField(id='0', label='table', type='table',
|
||||
|
|
|
@ -801,6 +801,16 @@ class FileWithPreviewWidget(CompositeWidget):
|
|||
if not valid_file_type:
|
||||
self.error = _('invalid file type')
|
||||
|
||||
blacklisted_file_types = get_publisher().get_site_option('blacklisted-file-types')
|
||||
if blacklisted_file_types:
|
||||
blacklisted_file_types = [x.strip() for x in blacklisted_file_types.split(',')]
|
||||
else:
|
||||
blacklisted_file_types = ['.exe', '.bat', '.com', '.pif', '.php', '.js',
|
||||
'application/x-ms-dos-executable']
|
||||
if (os.path.splitext(self.value.base_filename)[-1].lower() in blacklisted_file_types or
|
||||
filetype in blacklisted_file_types):
|
||||
self.error = _('forbidden file type')
|
||||
|
||||
|
||||
class PicklableUpload(Upload):
|
||||
def __getstate__(self):
|
||||
|
|
Loading…
Reference in New Issue