2905 |
2905 |
assert resp.text == '%PDF-1.4 ...'
|
2906 |
2906 |
|
2907 |
2907 |
|
|
2908 |
def test_form_file_field_submit_blacklist(pub):
|
|
2909 |
formdef = create_formdef()
|
|
2910 |
formdef.fields = [fields.FileField(id='0', label='file')]
|
|
2911 |
formdef.store()
|
|
2912 |
formdef.data_class().wipe()
|
|
2913 |
|
|
2914 |
# application/x-ms-dos-executable
|
|
2915 |
upload = Upload('test.exe', b'MZ...', 'application/force-download')
|
|
2916 |
resp = get_app(pub).get('/test/')
|
|
2917 |
resp.forms[0]['f0$file'] = upload
|
|
2918 |
resp = resp.forms[0].submit('submit')
|
|
2919 |
assert 'forbidden file type' in resp.text
|
|
2920 |
|
|
2921 |
# define custom blacklist
|
|
2922 |
pub.load_site_options()
|
|
2923 |
if not pub.site_options.has_section('options'):
|
|
2924 |
pub.site_options.add_section('options')
|
|
2925 |
pub.site_options.set('options', 'blacklisted-file-types', 'application/pdf')
|
|
2926 |
with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
|
|
2927 |
pub.site_options.write(fd)
|
|
2928 |
|
|
2929 |
# check against mime type
|
|
2930 |
upload = Upload('test.pdf', b'%PDF-1.4 ...', 'application/force-download')
|
|
2931 |
resp = get_app(pub).get('/test/')
|
|
2932 |
resp.forms[0]['f0$file'] = upload
|
|
2933 |
resp = resp.forms[0].submit('submit')
|
|
2934 |
assert 'forbidden file type' in resp.text
|
|
2935 |
|
|
2936 |
# check against extension
|
|
2937 |
pub.site_options.set('options', 'blacklisted-file-types', '.pdf')
|
|
2938 |
with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
|
|
2939 |
pub.site_options.write(fd)
|
|
2940 |
|
|
2941 |
upload = Upload('test.pdf', b'%PDF-1.4 ...', 'application/force-download')
|
|
2942 |
resp = get_app(pub).get('/test/')
|
|
2943 |
resp.forms[0]['f0$file'] = upload
|
|
2944 |
resp = resp.forms[0].submit('submit')
|
|
2945 |
assert 'forbidden file type' in resp.text
|
|
2946 |
|
|
2947 |
|
2908 |
2948 |
def test_form_table_field_submit(pub, emails):
|
2909 |
2949 |
formdef = create_formdef()
|
2910 |
2950 |
formdef.fields = [fields.TableField(id='0', label='table', type='table',
|