0001-misc-check-uploaded-image-is-valid-before-sending-it.patch
| tests/test_form_pages.py | ||
|---|---|---|
| 1522 | 1522 |
resp = app.get('/test/tempfile?t=%s&thumbnail=1' % tempfile_id)
|
| 1523 | 1523 |
assert resp.content_type == 'image/png' |
| 1524 | 1524 | |
| 1525 |
# check a fake image is not sent back |
|
| 1526 |
upload = Upload('test.jpg', '<script>evil javascript</script>', 'image/jpeg')
|
|
| 1527 |
app = get_app(pub) |
|
| 1528 |
resp = app.get('/test/')
|
|
| 1529 |
resp.forms[0]['f0$file'] = upload |
|
| 1530 |
resp = resp.forms[0].submit('submit')
|
|
| 1531 |
assert not '<img alt="" src="tempfile?' in resp.body |
|
| 1532 | ||
| 1525 | 1533 |
def test_form_file_field_submit_wrong_mimetype(pub): |
| 1526 | 1534 |
formdef = create_formdef() |
| 1527 | 1535 |
formdef.fields = [fields.FileField(id='0', label='file')] |
| wcs/qommon/form.py | ||
|---|---|---|
| 29 | 29 |
import hashlib |
| 30 | 30 |
import json |
| 31 | 31 | |
| 32 |
try: |
|
| 33 |
from PIL import Image |
|
| 34 |
except ImportError: |
|
| 35 |
Image = None |
|
| 36 | ||
| 32 | 37 |
from storage import atomic_write |
| 33 | 38 | |
| 34 | 39 |
try: |
| ... | ... | |
| 690 | 695 |
% (_('Remove this file'), _('remove')))
|
| 691 | 696 |
elif temp: |
| 692 | 697 |
filetype = mimetypes.guess_type(temp.get('orig_filename', ''))
|
| 698 |
include_image = False |
|
| 693 | 699 |
if filetype and filetype[0] and filetype[0].startswith('image'):
|
| 700 |
include_image = True |
|
| 701 |
if Image: |
|
| 702 |
image_content = get_session().get_tempfile_content(self.get('token'))
|
|
| 703 |
try: |
|
| 704 |
image = Image.open(image_content.fp) |
|
| 705 |
except Exception: |
|
| 706 |
include_image = False |
|
| 707 |
if include_image: |
|
| 694 | 708 |
r += htmltext('<img alt="" src="tempfile?t=%s&thumbnail=1" />' %
|
| 695 | 709 |
self.get('token'))
|
| 696 | 710 |
r += htmltext('</div>')
|
| 697 |
- |
|