misc: add settings to block some extensions (#58982)

fargo/fargo/forms.py

@@ -14,6 +14,8 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import os
+
 from django import forms
 from django.utils.translation import ugettext_lazy as _
 from django.conf import settings
@@ -34,6 +36,10 @@ class UploadForm(forms.ModelForm):
                     _('Uploaded file is too big (limit is %s)')
                     % filesizeformat(settings.FARGO_MAX_DOCUMENT_SIZE)
                 )
+            if settings.FARGO_FORBIDDEN_EXTENSIONS:
+                ext = os.path.splitext(content.name)[-1]
+                if ext in settings.FARGO_FORBIDDEN_EXTENSIONS:
+                    raise forms.ValidationError(_('Uploaded file is not allowed.'))
         return content
 
     def clean(self):

fargo/settings.py

@@ -171,6 +171,9 @@ MELLON_IDENTITY_PROVIDERS = []
 
 # Fargo settings
 
+# forbidden files, list of extensions, ex: ['.php', '.exe']
+FARGO_FORBIDDEN_EXTENSIONS = None
+
 FARGO_MAX_DOCUMENT_SIZE = 4 * 1024 * 1024  # 4 Mo
 
 FARGO_MAX_DOCUMENT_BOX_SIZE = 20 * 1024 * 1024  # 20 Mo

tests/test_public.py

@@ -150,3 +150,18 @@ def test_max_documents_per_user(app, private_settings, john_doe):
 
     response = app.get('/upload/')
     assert response.location == '/'
+
+
+def test_forbidden_extension(app, private_settings, john_doe):
+    private_settings.FARGO_FORBIDDEN_EXTENSIONS = ['.txt']
+    login(app, user=john_doe)
+    resp = app.get('/')
+    resp.form['content'] = Upload('monfichier.pdf', b'coin', 'application/pdf')
+    resp = resp.form.submit().follow()
+    assert UserDocument.objects.count() == 1
+
+    resp = app.get('/')
+    resp.form['content'] = Upload('monfichier.txt', b'coin', 'text/plain')
+    resp = resp.form.submit()
+    assert 'Uploaded file is not allowed.' in resp.text
+    assert UserDocument.objects.count() == 1