From 5603d4df8fcf1a7a5b85906dad0049d7e79cce6c Mon Sep 17 00:00:00 2001 From: Jakob Kramer Date: Thu, 2 Jun 2011 17:35:20 +0200 Subject: [PATCH 1/3] should fix #324 --- mediagoblin/submit/security.py | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 mediagoblin/submit/security.py diff --git a/mediagoblin/submit/security.py b/mediagoblin/submit/security.py new file mode 100644 index 00000000..db4c860d --- /dev/null +++ b/mediagoblin/submit/security.py @@ -0,0 +1,32 @@ +# GNU MediaGoblin -- federated, autonomous media hosting +# Copyright (C) 2011 Free Software Foundation, Inc +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +from mimetypes import guess_type + +from Image import open as image_open + +ALLOWED = ['image/jpeg', 'image/png', 'image/tiff', 'image/gif'] + +def check_filetype(posted_file): + if not guess_type(posted_file.filename) in ALLOWED: + return False + + try: + image = image_open(posted_file.file) + except IOError: + return False + + return True From 3eeadc922a669af9b4df4a41dc464bf6587802c1 Mon Sep 17 00:00:00 2001 From: Jakob Kramer Date: Thu, 2 Jun 2011 17:47:38 +0200 Subject: [PATCH 2/3] add changes in mediagoblin/submit/views.py --- mediagoblin/submit/views.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mediagoblin/submit/views.py b/mediagoblin/submit/views.py index 262f2b12..5ddf992f 100644 --- a/mediagoblin/submit/views.py +++ b/mediagoblin/submit/views.py @@ -21,7 +21,7 @@ from webob import Response, exc from werkzeug.utils import secure_filename from mediagoblin.decorators import require_active_login -from mediagoblin.submit import forms as submit_forms +from mediagoblin.submit import forms as submit_forms, security from mediagoblin.process_media import process_media_initial @@ -38,6 +38,9 @@ def submit_start(request): and request.POST['file'].file): submit_form.file.errors.append( u'You must provide a file.') + elif not security.check_filetype(request.POST['file']): + submit_form.file.errors.append( + u'The file doesn\'t seem to be an image!') else: filename = request.POST['file'].filename From fe4ffb860fcf211406861a726c64439435964f4c Mon Sep 17 00:00:00 2001 From: Christopher Allan Webber Date: Mon, 6 Jun 2011 07:57:05 -0500 Subject: [PATCH 3/3] Added a comment to clarify that this shouldn't stay here. --- mediagoblin/submit/security.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mediagoblin/submit/security.py b/mediagoblin/submit/security.py index db4c860d..5a06a499 100644 --- a/mediagoblin/submit/security.py +++ b/mediagoblin/submit/security.py @@ -24,6 +24,8 @@ def check_filetype(posted_file): if not guess_type(posted_file.filename) in ALLOWED: return False + # TODO: This should be handled by the processing stage. We should + # handle error detection there. try: image = image_open(posted_file.file) except IOError: