mirror of
https://github.com/janeczku/calibre-web
synced 2024-11-28 04:19:59 +00:00
Add mime_type checks on file uploads
This commit is contained in:
parent
014a247847
commit
7eece7603b
@ -23,6 +23,7 @@
|
|||||||
import os
|
import os
|
||||||
from datetime import datetime
|
from datetime import datetime
|
||||||
import json
|
import json
|
||||||
|
import magic
|
||||||
from shutil import copyfile
|
from shutil import copyfile
|
||||||
from uuid import uuid4
|
from uuid import uuid4
|
||||||
from markupsafe import escape, Markup # dependency of flask
|
from markupsafe import escape, Markup # dependency of flask
|
||||||
@ -757,6 +758,10 @@ def file_handling_on_upload(requested_file):
|
|||||||
flash(_("File %(filename)s could not saved to temp dir",
|
flash(_("File %(filename)s could not saved to temp dir",
|
||||||
filename=requested_file.filename), category="error")
|
filename=requested_file.filename), category="error")
|
||||||
return None, Response(json.dumps({"location": url_for("web.index")}), mimetype='application/json')
|
return None, Response(json.dumps({"location": url_for("web.index")}), mimetype='application/json')
|
||||||
|
except (Exception):
|
||||||
|
flash(_("File is not allowed to be uploaded to this server",
|
||||||
|
filename=requested_file.filename), category="error")
|
||||||
|
return None, Response(json.dumps({"location": url_for("web.index")}), mimetype='application/json')
|
||||||
return meta, None
|
return meta, None
|
||||||
|
|
||||||
|
|
||||||
|
@ -19,6 +19,9 @@
|
|||||||
from tempfile import gettempdir
|
from tempfile import gettempdir
|
||||||
import os
|
import os
|
||||||
import shutil
|
import shutil
|
||||||
|
import magic
|
||||||
|
import zipfile
|
||||||
|
from . import constants
|
||||||
|
|
||||||
def get_temp_dir():
|
def get_temp_dir():
|
||||||
tmp_dir = os.path.join(gettempdir(), 'calibre_web')
|
tmp_dir = os.path.join(gettempdir(), 'calibre_web')
|
||||||
@ -30,3 +33,19 @@ def get_temp_dir():
|
|||||||
def del_temp_dir():
|
def del_temp_dir():
|
||||||
tmp_dir = os.path.join(gettempdir(), 'calibre_web')
|
tmp_dir = os.path.join(gettempdir(), 'calibre_web')
|
||||||
shutil.rmtree(tmp_dir)
|
shutil.rmtree(tmp_dir)
|
||||||
|
|
||||||
|
def validate_mime_type(tmp_file_path):
|
||||||
|
mime = magic.Magic(mime=True)
|
||||||
|
tmp_mime_type = mime.from_file(tmp_file_path)
|
||||||
|
if any(mime_type in tmp_mime_type for mime_type in constants.EXTENSIONS_UPLOAD):
|
||||||
|
return True
|
||||||
|
# Some epubs show up as zip mimetypes
|
||||||
|
elif "zip" in tmp_mime_type:
|
||||||
|
try:
|
||||||
|
with zipfile.ZipFile(tmp_file_path, 'r') as epub:
|
||||||
|
if "mimetype" in epub.namelist():
|
||||||
|
return True
|
||||||
|
except:
|
||||||
|
pass
|
||||||
|
|
||||||
|
raise Exception("Forbidden MIME type to upload")
|
||||||
|
@ -23,7 +23,7 @@ from flask_babel import gettext as _
|
|||||||
from . import logger, comic, isoLanguages
|
from . import logger, comic, isoLanguages
|
||||||
from .constants import BookMeta
|
from .constants import BookMeta
|
||||||
from .helper import split_authors
|
from .helper import split_authors
|
||||||
from .file_helper import get_temp_dir
|
from .file_helper import get_temp_dir, validate_mime_type
|
||||||
|
|
||||||
log = logger.create()
|
log = logger.create()
|
||||||
|
|
||||||
@ -91,7 +91,8 @@ def process(tmp_file_path, original_file_name, original_file_extension, rar_exec
|
|||||||
meta = meta._replace(title=original_file_name)
|
meta = meta._replace(title=original_file_name)
|
||||||
if not meta.author.strip() or meta.author.lower() == 'unknown':
|
if not meta.author.strip() or meta.author.lower() == 'unknown':
|
||||||
meta = meta._replace(author=_('Unknown'))
|
meta = meta._replace(author=_('Unknown'))
|
||||||
return meta
|
if validate_mime_type(tmp_file_path):
|
||||||
|
return meta
|
||||||
|
|
||||||
|
|
||||||
def default_meta(tmp_file_path, original_file_name, original_file_extension):
|
def default_meta(tmp_file_path, original_file_name, original_file_extension):
|
||||||
|
Loading…
Reference in New Issue
Block a user