Browse Source

Fix upload file type check (#7890)

* fix upload file type check

* make the function simple and added tests

* Update comment as per @silverwind
for-closed-social
Lunny Xiao 5 years ago
committed by Lauris BH
parent
commit
2d0b90c967
2 changed files with 54 additions and 10 deletions
  1. +7
    -10
      modules/upload/filetype.go
  2. +47
    -0
      modules/upload/filetype_test.go

+ 7
- 10
modules/upload/filetype.go View File

@ -31,19 +31,16 @@ func (err ErrFileTypeForbidden) Error() string {
func VerifyAllowedContentType(buf []byte, allowedTypes []string) error {
fileType := http.DetectContentType(buf)
allowed := false
for _, t := range allowedTypes {
t := strings.Trim(t, " ")
if t == "*/*" || t == fileType {
allowed = true
break
}
}
if !allowed {
log.Info("Attachment with type %s blocked from upload", fileType)
return ErrFileTypeForbidden{Type: fileType}
if t == "*/*" || t == fileType ||
// Allow directives after type, like 'text/plain; charset=utf-8'
strings.HasPrefix(fileType, t+";") {
return nil
}
}
return nil
log.Info("Attachment with type %s blocked from upload", fileType)
return ErrFileTypeForbidden{Type: fileType}
}

+ 47
- 0
modules/upload/filetype_test.go View File

@ -0,0 +1,47 @@
// Copyright 2019 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package upload
import (
"bytes"
"compress/gzip"
"testing"
"github.com/stretchr/testify/assert"
)
func TestUpload(t *testing.T) {
testContent := []byte(`This is a plain text file.`)
var b bytes.Buffer
w := gzip.NewWriter(&b)
w.Write(testContent)
w.Close()
kases := []struct {
data []byte
allowedTypes []string
err error
}{
{
data: testContent,
allowedTypes: []string{"text/plain"},
err: nil,
},
{
data: testContent,
allowedTypes: []string{"application/x-gzip"},
err: ErrFileTypeForbidden{"text/plain; charset=utf-8"},
},
{
data: b.Bytes(),
allowedTypes: []string{"application/x-gzip"},
err: nil,
},
}
for _, kase := range kases {
assert.Equal(t, kase.err, VerifyAllowedContentType(kase.data, kase.allowedTypes))
}
}

Loading…
Cancel
Save