Fixed attachments

This commit is contained in:
Joar Wandborg 2012-10-23 01:09:09 +02:00
parent d7d9933735
commit c43f8c1d92
3 changed files with 16 additions and 14 deletions

View File

@ -106,9 +106,8 @@ def edit_attachments(request, media):
form = forms.EditAttachmentsForm() form = forms.EditAttachmentsForm()
# Add any attachements # Add any attachements
if ('attachment_file' in request.form if 'attachment_file' in request.files \
and isinstance(request.form['attachment_file'], FieldStorage) and request.files['attachment_file']:
and request.form['attachment_file'].file):
# Security measure to prevent attachments from being served as # Security measure to prevent attachments from being served as
# text/html, which will be parsed by web clients and pose an XSS # text/html, which will be parsed by web clients and pose an XSS
@ -121,13 +120,13 @@ def edit_attachments(request, media):
# machine parsing the upload form, and not necessarily the machine # machine parsing the upload form, and not necessarily the machine
# serving the attachments. # serving the attachments.
if mimetypes.guess_type( if mimetypes.guess_type(
request.form['attachment_file'].filename)[0] in \ request.files['attachment_file'].filename)[0] in \
UNSAFE_MIMETYPES: UNSAFE_MIMETYPES:
public_filename = secure_filename('{0}.notsafe'.format( public_filename = secure_filename('{0}.notsafe'.format(
request.form['attachment_file'].filename)) request.files['attachment_file'].filename))
else: else:
public_filename = secure_filename( public_filename = secure_filename(
request.form['attachment_file'].filename) request.files['attachment_file'].filename)
attachment_public_filepath \ attachment_public_filepath \
= mg_globals.public_store.get_unique_filepath( = mg_globals.public_store.get_unique_filepath(
@ -139,13 +138,13 @@ def edit_attachments(request, media):
try: try:
attachment_public_file.write( attachment_public_file.write(
request.form['attachment_file'].file.read()) request.files['attachment_file'].stream.read())
finally: finally:
request.form['attachment_file'].file.close() request.files['attachment_file'].stream.close()
media.attachment_files.append(dict( media.attachment_files.append(dict(
name=request.form['attachment_name'] \ name=request.form['attachment_name'] \
or request.form['attachment_file'].filename, or request.files['attachment_file'].filename,
filepath=attachment_public_filepath, filepath=attachment_public_filepath,
created=datetime.utcnow(), created=datetime.utcnow(),
)) ))
@ -156,7 +155,7 @@ def edit_attachments(request, media):
request, messages.SUCCESS, request, messages.SUCCESS,
"You added the attachment %s!" \ "You added the attachment %s!" \
% (request.form['attachment_name'] % (request.form['attachment_name']
or request.form['attachment_file'].filename)) or request.files['attachment_file'].filename))
return exc.HTTPFound( return exc.HTTPFound(
location=media.url_for_self(request.urlgen)) location=media.url_for_self(request.urlgen))

View File

@ -104,10 +104,13 @@ class CloudFilesStorage(StorageInterface):
mimetype = mimetypes.guess_type( mimetype = mimetypes.guess_type(
filepath[-1]) filepath[-1])
if mimetype: if mimetype[0]:
# Set the mimetype on the CloudFiles object # Set the mimetype on the CloudFiles object
obj.content_type = mimetype[0] obj.content_type = mimetype[0]
obj.metadata = {'mime-type': mimetype[0]} obj.metadata = {'mime-type': mimetype[0]}
else:
obj.content_type = 'application/octet-stream'
obj.metadata = {'mime-type': 'application/octet-stream'}
return CloudFilesStorageObjectWrapper(obj, *args, **kwargs) return CloudFilesStorageObjectWrapper(obj, *args, **kwargs)

View File

@ -78,4 +78,4 @@ add_route('mediagoblin.edit.edit_media',
add_route('mediagoblin.edit.attachments', add_route('mediagoblin.edit.attachments',
'/u/<string:user>/m/<string:media>/attachments/', '/u/<string:user>/m/<string:media>/attachments/',
'mediagoblin.user_pages.views:edit_attachments') 'mediagoblin.edit.views:edit_attachments')