Add mime_type checks on file uploads

2025-10-25 20:37:41 +00:00 · 2024-05-31 17:43:49 -04:00
parent 014a247847
commit 7eece7603b
3 changed files with 27 additions and 2 deletions
--- a/cps/editbooks.py
+++ b/cps/editbooks.py
@@ -23,6 +23,7 @@
 import os
 from datetime import datetime
 import json
+import magic
 from shutil import copyfile
 from uuid import uuid4
 from markupsafe import escape, Markup  # dependency of flask
@@ -757,6 +758,10 @@ def file_handling_on_upload(requested_file):
        flash(_("File %(filename)s could not saved to temp dir",
                filename=requested_file.filename), category="error")
        return None, Response(json.dumps({"location": url_for("web.index")}), mimetype='application/json')
+    except (Exception):
+        flash(_("File is not allowed to be uploaded to this server",
+                filename=requested_file.filename), category="error")
+        return None, Response(json.dumps({"location": url_for("web.index")}), mimetype='application/json')
    return meta, None