Fix upload file type check (#7890)
* fix upload file type check * make the function simple and added tests * Update comment as per @silverwind
This commit is contained in:
Lunny Xiao
Lauris BH
parent
a678ea44b8
commit
2d0b90c967
2 changed files with 54 additions and 10 deletions
|
|
@ -31,19 +31,16 @@ func (err ErrFileTypeForbidden) Error() string {
|
||||||
func VerifyAllowedContentType(buf []byte, allowedTypes []string) error {
|
func VerifyAllowedContentType(buf []byte, allowedTypes []string) error {
|
||||||
fileType := http.DetectContentType(buf)
|
fileType := http.DetectContentType(buf)
|
||||||
|
|
||||||
allowed := false
|
|
||||||
for _, t := range allowedTypes {
|
for _, t := range allowedTypes {
|
||||||
t := strings.Trim(t, " ")
|
t := strings.Trim(t, " ")
|
||||||
if t == "*/*" || t == fileType {
|
|
||||||
allowed = true
|
if t == "*/*" || t == fileType ||
|
||||||
break
|
// Allow directives after type, like 'text/plain; charset=utf-8'
|
||||||
|
strings.HasPrefix(fileType, t+";") {
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if !allowed {
|
log.Info("Attachment with type %s blocked from upload", fileType)
|
||||||
log.Info("Attachment with type %s blocked from upload", fileType)
|
return ErrFileTypeForbidden{Type: fileType}
|
||||||
return ErrFileTypeForbidden{Type: fileType}
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
47
modules/upload/filetype_test.go
Normal file
47
modules/upload/filetype_test.go
Normal file
|
|
@ -0,0 +1,47 @@
|
||||||
|
// Copyright 2019 The Gitea Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a MIT-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package upload
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"compress/gzip"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestUpload(t *testing.T) {
|
||||||
|
testContent := []byte(`This is a plain text file.`)
|
||||||
|
var b bytes.Buffer
|
||||||
|
w := gzip.NewWriter(&b)
|
||||||
|
w.Write(testContent)
|
||||||
|
w.Close()
|
||||||
|
|
||||||
|
kases := []struct {
|
||||||
|
data []byte
|
||||||
|
allowedTypes []string
|
||||||
|
err error
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
data: testContent,
|
||||||
|
allowedTypes: []string{"text/plain"},
|
||||||
|
err: nil,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
data: testContent,
|
||||||
|
allowedTypes: []string{"application/x-gzip"},
|
||||||
|
err: ErrFileTypeForbidden{"text/plain; charset=utf-8"},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
data: b.Bytes(),
|
||||||
|
allowedTypes: []string{"application/x-gzip"},
|
||||||
|
err: nil,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, kase := range kases {
|
||||||
|
assert.Equal(t, kase.err, VerifyAllowedContentType(kase.data, kase.allowedTypes))
|
||||||
|
}
|
||||||
|
}
|
||||||
Loading…
Reference in a new issue