0001-misc-check-uploaded-image-is-valid-before-sending-it.patch
tests/test_form_pages.py | ||
---|---|---|
1522 | 1522 |
resp = app.get('/test/tempfile?t=%s&thumbnail=1' % tempfile_id) |
1523 | 1523 |
assert resp.content_type == 'image/png' |
1524 | 1524 | |
1525 |
# check a fake image is not sent back |
|
1526 |
upload = Upload('test.jpg', '<script>evil javascript</script>', 'image/jpeg') |
|
1527 |
app = get_app(pub) |
|
1528 |
resp = app.get('/test/') |
|
1529 |
resp.forms[0]['f0$file'] = upload |
|
1530 |
resp = resp.forms[0].submit('submit') |
|
1531 |
assert not '<img alt="" src="tempfile?' in resp.body |
|
1532 | ||
1525 | 1533 |
def test_form_file_field_submit_wrong_mimetype(pub): |
1526 | 1534 |
formdef = create_formdef() |
1527 | 1535 |
formdef.fields = [fields.FileField(id='0', label='file')] |
wcs/qommon/form.py | ||
---|---|---|
29 | 29 |
import hashlib |
30 | 30 |
import json |
31 | 31 | |
32 |
try: |
|
33 |
from PIL import Image |
|
34 |
except ImportError: |
|
35 |
Image = None |
|
36 | ||
32 | 37 |
from storage import atomic_write |
33 | 38 | |
34 | 39 |
try: |
... | ... | |
690 | 695 |
% (_('Remove this file'), _('remove'))) |
691 | 696 |
elif temp: |
692 | 697 |
filetype = mimetypes.guess_type(temp.get('orig_filename', '')) |
698 |
include_image = False |
|
693 | 699 |
if filetype and filetype[0] and filetype[0].startswith('image'): |
700 |
include_image = True |
|
701 |
if Image: |
|
702 |
image_content = get_session().get_tempfile_content(self.get('token')) |
|
703 |
try: |
|
704 |
image = Image.open(image_content.fp) |
|
705 |
except Exception: |
|
706 |
include_image = False |
|
707 |
if include_image: |
|
694 | 708 |
r += htmltext('<img alt="" src="tempfile?t=%s&thumbnail=1" />' % |
695 | 709 |
self.get('token')) |
696 | 710 |
r += htmltext('</div>') |
697 |
- |