0001-form-fix-uploaded-file-mime-types-with-server-side-d.patch
tests/test_form_pages.py | ||
---|---|---|
1248 | 1248 |
assert resp.content_type == 'text/plain' |
1249 | 1249 |
assert resp.body == 'foobar' |
1250 | 1250 | |
1251 |
def test_form_file_field_submit_wrong_mimetype(pub): |
|
1252 |
formdef = create_formdef() |
|
1253 |
formdef.fields = [fields.FileField(id='0', label='file')] |
|
1254 |
formdef.store() |
|
1255 |
formdef.data_class().wipe() |
|
1256 | ||
1257 |
upload = Upload('test.txt', 'foobar', 'application/force-download') |
|
1258 | ||
1259 |
resp = get_app(pub).get('/test/') |
|
1260 |
resp.forms[0]['f0$file'] = upload |
|
1261 |
resp = resp.forms[0].submit('submit') |
|
1262 |
assert 'Check values then click submit.' in resp.body |
|
1263 |
resp = resp.forms[0].submit('submit') |
|
1264 |
assert resp.status_int == 302 |
|
1265 |
resp = resp.follow() |
|
1266 |
assert 'The form has been recorded' in resp.body |
|
1267 |
resp = resp.click('test.txt') |
|
1268 |
assert resp.location.endswith('/test.txt') |
|
1269 |
resp = resp.follow() |
|
1270 |
assert resp.content_type == 'text/plain' |
|
1271 |
assert resp.body == 'foobar' |
|
1272 | ||
1273 |
upload = Upload('test.pdf', '%PDF-1.4 ...', 'application/force-download') |
|
1274 | ||
1275 |
resp = get_app(pub).get('/test/') |
|
1276 |
resp.forms[0]['f0$file'] = upload |
|
1277 |
resp = resp.forms[0].submit('submit') |
|
1278 |
assert 'Check values then click submit.' in resp.body |
|
1279 |
resp = resp.forms[0].submit('submit') |
|
1280 |
assert resp.status_int == 302 |
|
1281 |
resp = resp.follow() |
|
1282 |
assert 'The form has been recorded' in resp.body |
|
1283 |
resp = resp.click('test.pdf') |
|
1284 |
assert resp.location.endswith('/test.pdf') |
|
1285 |
resp = resp.follow() |
|
1286 |
assert resp.content_type == 'application/pdf' |
|
1287 |
assert resp.body == '%PDF-1.4 ...' |
|
1288 | ||
1251 | 1289 |
def test_formdata_attachment_download(pub): |
1252 | 1290 |
create_user(pub) |
1253 | 1291 |
wf = Workflow(name='status') |
wcs/qommon/form.py | ||
---|---|---|
630 | 630 |
# there's no file, the other checks are irrelevant. |
631 | 631 |
return |
632 | 632 | |
633 |
# Don't trust the browser supplied MIME type, update the Upload object |
|
634 |
# with a MIME type created with magic (or based on the extension if the |
|
635 |
# module is missing). |
|
636 |
# |
|
637 |
# This also helps people uploading PDF files that were downloaded from |
|
638 |
# sites setting a wrong MIME type (like application/force-download) for |
|
639 |
# various reasons. |
|
640 |
if magic: |
|
641 |
magic_object = magic.open(magic.MIME) |
|
642 |
magic_object.load() |
|
643 |
filetype = magic_object.file(self.value.fp.name).split(';')[0] |
|
644 |
magic_object.close() |
|
645 |
else: |
|
646 |
filetype, encoding = mimetypes.guess_type(self.value.base_filename) |
|
647 | ||
648 |
if not filetype: |
|
649 |
filetype = 'application/octet-stream' |
|
650 | ||
651 |
self.value.content_type = filetype |
|
652 | ||
633 | 653 |
if self.max_file_size: |
634 | 654 |
# validate file size |
635 | 655 |
file_size = os.path.getsize(self.value.fp.name) |
... | ... | |
642 | 662 |
for file_type in self.file_type: |
643 | 663 |
accepted_file_types.extend(file_type.split(',')) |
644 | 664 | |
645 |
if magic: |
|
646 |
magic_object = magic.open(magic.MIME) |
|
647 |
magic_object.load() |
|
648 |
filetype = magic_object.file(self.value.fp.name).split(';')[0] |
|
649 |
magic_object.close() |
|
650 |
else: |
|
651 |
filetype, encoding = mimetypes.guess_type(self.value.base_filename) |
|
652 |
if not filetype: |
|
653 |
filetype = 'application/octet-stream' |
|
654 | ||
655 | 665 |
valid_file_type = False |
656 | 666 |
for accepted_file_type in accepted_file_types: |
657 | 667 |
# fnmatch is used to handle generic mimetypes, like |
658 | 668 |
# image/* |
659 |
if fnmatch.fnmatch(filetype, accepted_file_type):
|
|
669 |
if fnmatch.fnmatch(self.value.content_type, accepted_file_type):
|
|
660 | 670 |
valid_file_type = True |
661 | 671 |
break |
662 | 672 |
if not valid_file_type: |
663 |
- |