Projet

Général

Profil

0001-general-blacklist-some-file-types-for-upload-6829.patch

Frédéric Péters, 25 janvier 2020 16:50

Télécharger (3,3 ko)

Voir les différences: 

Subject: [PATCH] general: blacklist some file types for upload (#6829)


 tests/test_form_pages.py | 40 ++++++++++++++++++++++++++++++++++++++++
 wcs/qommon/form.py       | 10 ++++++++++
 2 files changed, 50 insertions(+)
tests/test_form_pages.py
2905 2905 
    assert resp.text == '%PDF-1.4 ...'
2906 2906 

  		




  2907
  2907
  
    

  		




  
  2908
  
    
def test_form_file_field_submit_blacklist(pub):

  		




  
  2909
  
    
    formdef = create_formdef()

  		




  
  2910
  
    
    formdef.fields = [fields.FileField(id='0', label='file')]

  		




  
  2911
  
    
    formdef.store()

  		




  
  2912
  
    
    formdef.data_class().wipe()

  		




  
  2913
  
    

  		




  
  2914
  
    
    # application/x-ms-dos-executable

  		




  
  2915
  
    
    upload = Upload('test.exe', b'MZ...', 'application/force-download')

  		




  
  2916
  
    
    resp = get_app(pub).get('/test/')

  		




  
  2917
  
    
    resp.forms[0]['f0$file'] = upload

  		




  
  2918
  
    
    resp = resp.forms[0].submit('submit')

  		




  
  2919
  
    
    assert 'forbidden file type' in resp.text

  		




  
  2920
  
    

  		




  
  2921
  
    
    # define custom blacklist

  		




  
  2922
  
    
    pub.load_site_options()

  		




  
  2923
  
    
    if not pub.site_options.has_section('options'):

  		




  
  2924
  
    
        pub.site_options.add_section('options')

  		




  
  2925
  
    
    pub.site_options.set('options', 'blacklisted-file-types', 'application/pdf')

  		




  
  2926
  
    
    with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:

  		




  
  2927
  
    
        pub.site_options.write(fd)

  		




  
  2928
  
    

  		




  
  2929
  
    
    # check against mime type

  		




  
  2930
  
    
    upload = Upload('test.pdf', b'%PDF-1.4 ...', 'application/force-download')

  		




  
  2931
  
    
    resp = get_app(pub).get('/test/')

  		




  
  2932
  
    
    resp.forms[0]['f0$file'] = upload

  		




  
  2933
  
    
    resp = resp.forms[0].submit('submit')

  		




  
  2934
  
    
    assert 'forbidden file type' in resp.text

  		




  
  2935
  
    

  		




  
  2936
  
    
    # check against extension

  		




  
  2937
  
    
    pub.site_options.set('options', 'blacklisted-file-types', '.pdf')

  		




  
  2938
  
    
    with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:

  		




  
  2939
  
    
        pub.site_options.write(fd)

  		




  
  2940
  
    

  		




  
  2941
  
    
    upload = Upload('test.pdf', b'%PDF-1.4 ...', 'application/force-download')

  		




  
  2942
  
    
    resp = get_app(pub).get('/test/')

  		




  
  2943
  
    
    resp.forms[0]['f0$file'] = upload

  		




  
  2944
  
    
    resp = resp.forms[0].submit('submit')

  		




  
  2945
  
    
    assert 'forbidden file type' in resp.text

  		




  
  2946
  
    

  		




  
  2947
  
    

  		




  2908
  2948
  
    
def test_form_table_field_submit(pub, emails):

  		




  2909
  2949
  
    
    formdef = create_formdef()

  		




  2910
  2950
  
    
    formdef.fields = [fields.TableField(id='0', label='table', type='table',

  		












  

    
      wcs/qommon/form.py
    
  





  807
  807
  
    
            if not valid_file_type:

  		




  808
  808
  
    
                self.error = _('invalid file type')

  		




  809
  809
  
    

  		




  
  810
  
    
        blacklisted_file_types = get_publisher().get_site_option('blacklisted-file-types')

  		




  
  811
  
    
        if blacklisted_file_types:

  		




  
  812
  
    
            blacklisted_file_types = [x.strip() for x in blacklisted_file_types.split(',')]

  		




  
  813
  
    
        else:

  		




  
  814
  
    
            blacklisted_file_types = ['.exe', '.bat', '.com', '.pif', '.php', '.js',

  		




  
  815
  
    
                    'application/x-ms-dos-executable']

  		




  
  816
  
    
        if (os.path.splitext(self.value.base_filename)[-1] in blacklisted_file_types or

  		




  
  817
  
    
                filetype in blacklisted_file_types):

  		




  
  818
  
    
            self.error = _('forbidden file type')

  		




  
  819
  
    

  		




  810
  820
  
    

  		




  811
  821
  
    
class PicklableUpload(Upload):

  		




  812
  822
  
    
    def __getstate__(self):

  		




  813
  
  
    
-