Ticket #5328: 0001-Added-support-for-blacklisting-whitelisting-mimetype.patch

mediagoblin/edit/views.py

@@ -103 +103 @@
         {'media': media,
          'form': form})
 
-
-# Mimetypes that browsers parse scripts in.
-# Content-sniffing isn't taken into consideration.
-UNSAFE_MIMETYPES = [
-        'text/html',
-        'text/svg+xml']
-
+def read_list_from_config(section):
+    global_config = mg_globals.global_config
+    mimelist = []
+    if 'attachments' in global_config and section in global_config['attachments']:
+        mimelist = global_config['attachments'][section][:] # FIXME: [:] is a bit hackish
+    return mimelist
 
 @get_media_entry_by_id
 @require_active_login
@@ -117 +116 @@
     if mg_globals.app_config['allow_attachments']:
         form = forms.EditAttachmentsForm()
 
+        # Mimetypes that browsers parse scripts in.
+        # Content-sniffing isn't taken into consideration.
+        UNSAFE_MIMETYPES = []
+        SAFE_MIMETYPES = []
+
+        # Blacklisting is for setting up what mime types to ALWAYS deny
+        UNSAFE_MIMETYPES = read_list_from_config('blacklist')
+
+        # Whitelisting is for setting up what mime types to ONLY allow (optional)
+        SAFE_MIMETYPES = read_list_from_config('whitelist')
+
+        bMimeAllowed = True
+
         # Add any attachements
         if 'attachment_file' in request.files \
             and request.files['attachment_file']:
@@ -131 +143 @@
             # This method isn't flawless as we do the mimetype lookup on the
             # machine parsing the upload form, and not necessarily the machine
             # serving the attachments.
-            if mimetypes.guess_type(
-                    request.files['attachment_file'].filename)[0] in \
-                    UNSAFE_MIMETYPES:
-                public_filename = secure_filename('{0}.notsafe'.format(
-                    request.files['attachment_file'].filename))
+
+            attachment_file = request.files['attachment_file'].filename
+
+            # Check blacklist and (optionally) whitelist, guess_type strict is set to False
+            # to include more mimetypes to be scanned
+            if (SAFE_MIMETYPES != []) and (not mimetypes.guess_type(attachment_file, False)[0] \
+                in SAFE_MIMETYPES):
+                    # We hit a mime type that is NOT whitelisted and whitelist exists
+                    messages.add_message(request, messages.ERROR, "Sorry, that format is not allowed!")
+                    bMimeAllowed = False
+                    #raise Forbidden("Attachment mimetype is not allowed")
+                    public_filename = secure_filename('{0}.notsafe'.format(
+                    attachment_file))
+            elif (UNSAFE_MIMETYPES != []) and (mimetypes.guess_type(attachment_file, False)[0] \
+                in UNSAFE_MIMETYPES):
+                    # We hit a mime type that is blacklisted and blacklist exists
+                    messages.add_message(request, messages.ERROR, "Sorry, that format is not allowed!")
+                    bMimeAllowed = False
+                    #raise Forbidden("Attachment mimetype is not allowed")
+                    public_filename = secure_filename('{0}.notsafe'.format(
+                    attachment_file))
             else:
-                public_filename = secure_filename(
-                        request.files['attachment_file'].filename)
+                public_filename = secure_filename(attachment_file)
+
+            if not bMimeAllowed or request.form['max_size_reached'] == "true":
+                return render_to_response(
+                    request,
+                    'mediagoblin/edit/attachments.html',
+                    {'media': media,
+                     'form': form})
 
             attachment_public_filepath \
                 = mg_globals.public_store.get_unique_filepath(

mediagoblin/static/js/file_size.js

@@ -16 +16 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
-$(document).ready(function(){
-    var file = document.getElementById('file');
-    var uploaded = parseInt(document.getElementById('uploaded').value);
-    var upload_limit = parseInt(document.getElementById('upload_limit').value);
-    var max_file_size = parseInt(document.getElementById('max_file_size').value);
+var file;
+var uploaded;
+var upload_limit;
+var max_file_size;
+
+// FIXME: Very hackish, please fix if you can. This is because the extra HTML won't appear.
+var popup;
 
-    file.onchange = function() {
-        var file_size = file.files[0].size / (1024.0 * 1024);
+function check_file_size() {
+    var file_size = file.files[0].size / (1024.0 * 1024);
 
-        if (file_size >= max_file_size) {
-            $('#file').after('<p id="file_size_error" class="form_field_error">Sorry, the file size is too big.</p>'); 
+    if (file_size >= max_file_size) {
+        if (popup)
+        {
+            alert("Sorry, the file size is too big.")
+            document.getElementById('max_size_reached').value = true;
         }
-        else if (document.getElementById('file_size_error')) {
-            $('#file_size_error').hide();
+        else if (document.getElementById('upload_limit_error')) {
+            $('#file').after('<p id="file_size_error" class="form_field_error">Sorry, the file size is too big.</p>');
         }
+    }
+    else if (document.getElementById('file_size_error')) {
+        $('#file_size_error').hide();
+    }
 
-        if (upload_limit) {
-            if ( uploaded + file_size >= upload_limit) {
-                $('#file').after('<p id="upload_limit_error" class="form_field_error">Sorry, uploading this file will put you over your upload limit.</p>');
+    if (upload_limit) {
+        if ( uploaded + file_size >= upload_limit) {
+            if (popup)
+            {
+                alert("Sorry, uploading this file will put you over your upload limit.");
+                document.getElementById('max_size_reached').value = true;
             }
             else if (document.getElementById('upload_limit_error')) {
-                $('#upload_limit_error').hide();
-            console.log(file_size >= max_file_size);
+                $('#file').after('<p id="upload_limit_error" class="form_field_error">Sorry, uploading this file will put you over your upload limit.</p>');
             }
         }
-    };
+        else if (document.getElementById('upload_limit_error')) {
+            $('#upload_limit_error').hide();
+            console.log(file_size >= max_file_size);
+        }
+    }
+}
+
+$(document).ready(function(){
+    popup = false;
+    file = document.getElementById('file');
+    if (file == null)
+    {
+        popup = true;
+        file = document.getElementById('attachment_file');
+    }
+    uploaded = parseInt(document.getElementById('uploaded').value);
+    upload_limit = parseInt(document.getElementById('upload_limit').value);
+    max_file_size = parseInt(document.getElementById('max_file_size').value);
+
+    file.onchange = check_file_size
+
 });

mediagoblin/templates/mediagoblin/edit/attachments.html

@@ -19 +19 @@
 
 {% import "/mediagoblin/utils/wtforms.html" as wtforms_util %}
 
+{% block mediagoblin_head %}
+  <script type="text/javascript"
+          src="{{ request.staticdirect('/js/file_size.js') }}"></script>
+{% endblock %}
+
 {% block title -%}
   {% trans media_title=media.title -%}
       Editing attachments for {{ media_title }}
@@ -60 +65 @@
         <a class="button_action" href="{{ media.url_for_self(request.urlgen) }}">
           {%- trans %}Cancel{% endtrans -%}
         </a>
+        <input type="hidden" id="uploaded" value="{{ media.get_uploader.uploaded }}" />
+        <input type="hidden" id="upload_limit" value="{{ media.get_uploader.upload_limit }}" />
+        <input type="hidden" id="max_file_size" value="{{ global_config['mediagoblin']['max_file_size'] }}" />
+        <input type="hidden" name="max_size_reached" id="max_size_reached" value="false" />
         <input type="submit" value="{% trans %}Save changes{% endtrans %}"
                class="button_form" />
         {{ csrf_token }}