Fix upload file type check (#7890)

* fix upload file type check

* make the function simple and added tests

* Update comment as per @silverwind
release/v1.15
Lunny Xiao 2019-08-17 18:10:17 +08:00 committed by Lauris BH
parent a678ea44b8
commit 2d0b90c967
2 changed files with 54 additions and 10 deletions

View File

@ -31,19 +31,16 @@ func (err ErrFileTypeForbidden) Error() string {
func VerifyAllowedContentType(buf []byte, allowedTypes []string) error { func VerifyAllowedContentType(buf []byte, allowedTypes []string) error {
fileType := http.DetectContentType(buf) fileType := http.DetectContentType(buf)
allowed := false
for _, t := range allowedTypes { for _, t := range allowedTypes {
t := strings.Trim(t, " ") t := strings.Trim(t, " ")
if t == "*/*" || t == fileType {
allowed = true if t == "*/*" || t == fileType ||
break // Allow directives after type, like 'text/plain; charset=utf-8'
strings.HasPrefix(fileType, t+";") {
return nil
} }
} }
if !allowed { log.Info("Attachment with type %s blocked from upload", fileType)
log.Info("Attachment with type %s blocked from upload", fileType) return ErrFileTypeForbidden{Type: fileType}
return ErrFileTypeForbidden{Type: fileType}
}
return nil
} }

View File

@ -0,0 +1,47 @@
// Copyright 2019 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package upload
import (
"bytes"
"compress/gzip"
"testing"
"github.com/stretchr/testify/assert"
)
func TestUpload(t *testing.T) {
testContent := []byte(`This is a plain text file.`)
var b bytes.Buffer
w := gzip.NewWriter(&b)
w.Write(testContent)
w.Close()
kases := []struct {
data []byte
allowedTypes []string
err error
}{
{
data: testContent,
allowedTypes: []string{"text/plain"},
err: nil,
},
{
data: testContent,
allowedTypes: []string{"application/x-gzip"},
err: ErrFileTypeForbidden{"text/plain; charset=utf-8"},
},
{
data: b.Bytes(),
allowedTypes: []string{"application/x-gzip"},
err: nil,
},
}
for _, kase := range kases {
assert.Equal(t, kase.err, VerifyAllowedContentType(kase.data, kase.allowedTypes))
}
}