general: blacklist some file types for upload (#6829)

2020-01-25 16:49:20 +01:00 · 2020-01-25 16:49:20 +01:00 · 10bec6f636
parent 9c5500febf
commit 10bec6f636
2 changed files with 50 additions and 0 deletions
--- a/tests/test_form_pages.py
+++ b/tests/test_form_pages.py
@ -2981,6 +2981,46 @@ def test_form_file_field_submit_wrong_mimetype(pub):
    assert resp.text == '%PDF-1.4 ...'


+def test_form_file_field_submit_blacklist(pub):
+    formdef = create_formdef()
+    formdef.fields = [fields.FileField(id='0', label='file')]
+    formdef.store()
+    formdef.data_class().wipe()
+
+    # application/x-ms-dos-executable
+    upload = Upload('test.exe', b'MZ...', 'application/force-download')
+    resp = get_app(pub).get('/test/')
+    resp.forms[0]['f0$file'] = upload
+    resp = resp.forms[0].submit('submit')
+    assert 'forbidden file type' in resp.text
+
+    # define custom blacklist
+    pub.load_site_options()
+    if not pub.site_options.has_section('options'):
+        pub.site_options.add_section('options')
+    pub.site_options.set('options', 'blacklisted-file-types', 'application/pdf')
+    with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
+        pub.site_options.write(fd)
+
+    # check against mime type
+    upload = Upload('test.pdf', b'%PDF-1.4 ...', 'application/force-download')
+    resp = get_app(pub).get('/test/')
+    resp.forms[0]['f0$file'] = upload
+    resp = resp.forms[0].submit('submit')
+    assert 'forbidden file type' in resp.text
+
+    # check against extension
+    pub.site_options.set('options', 'blacklisted-file-types', '.pdf')
+    with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
+        pub.site_options.write(fd)
+
+    upload = Upload('test.pdf', b'%PDF-1.4 ...', 'application/force-download')
+    resp = get_app(pub).get('/test/')
+    resp.forms[0]['f0$file'] = upload
+    resp = resp.forms[0].submit('submit')
+    assert 'forbidden file type' in resp.text
+
+
 def test_form_table_field_submit(pub, emails):
    formdef = create_formdef()
    formdef.fields = [fields.TableField(id='0', label='table', type='table',
--- a/wcs/qommon/form.py
+++ b/wcs/qommon/form.py
@ -801,6 +801,16 @@ class FileWithPreviewWidget(CompositeWidget):
            if not valid_file_type:
                self.error = _('invalid file type')

+        blacklisted_file_types = get_publisher().get_site_option('blacklisted-file-types')
+        if blacklisted_file_types:
+            blacklisted_file_types = [x.strip() for x in blacklisted_file_types.split(',')]
+        else:
+            blacklisted_file_types = ['.exe', '.bat', '.com', '.pif', '.php', '.js',
+                    'application/x-ms-dos-executable']
+        if (os.path.splitext(self.value.base_filename)[-1].lower() in blacklisted_file_types or
+                filetype in blacklisted_file_types):
+            self.error = _('forbidden file type')
+

 class PicklableUpload(Upload):
    def __getstate__(self):