Browse Source
Fix upload file type check (#7890)
* fix upload file type check * make the function simple and added tests * Update comment as per @silverwindtags/v1.21.12.1
Lunny Xiao
Lauris BH
6 years ago
2 changed files with 54 additions and 10 deletions
Unified View
Diff Options
-
+7 -10modules/upload/filetype.go
-
+47 -0modules/upload/filetype_test.go
+ 7
- 10
modules/upload/filetype.go
View File
| @@ -31,19 +31,16 @@ func (err ErrFileTypeForbidden) Error() string { | |||||
| func VerifyAllowedContentType(buf []byte, allowedTypes []string) error { | func VerifyAllowedContentType(buf []byte, allowedTypes []string) error { | ||||
| fileType := http.DetectContentType(buf) | fileType := http.DetectContentType(buf) | ||||
| allowed := false | |||||
| for _, t := range allowedTypes { | for _, t := range allowedTypes { | ||||
| t := strings.Trim(t, " ") | t := strings.Trim(t, " ") | ||||
| if t == "*/*" || t == fileType { | |||||
| allowed = true | |||||
| break | |||||
| } | |||||
| } | |||||
| if !allowed { | |||||
| log.Info("Attachment with type %s blocked from upload", fileType) | |||||
| return ErrFileTypeForbidden{Type: fileType} | |||||
| if t == "*/*" || t == fileType || | |||||
| // Allow directives after type, like 'text/plain; charset=utf-8' | |||||
| strings.HasPrefix(fileType, t+";") { | |||||
| return nil | |||||
| } | |||||
| } | } | ||||
| return nil | |||||
| log.Info("Attachment with type %s blocked from upload", fileType) | |||||
| return ErrFileTypeForbidden{Type: fileType} | |||||
| } | } | ||||
+ 47
- 0
modules/upload/filetype_test.go
View File
| @@ -0,0 +1,47 @@ | |||||
| // Copyright 2019 The Gitea Authors. All rights reserved. | |||||
| // Use of this source code is governed by a MIT-style | |||||
| // license that can be found in the LICENSE file. | |||||
| package upload | |||||
| import ( | |||||
| "bytes" | |||||
| "compress/gzip" | |||||
| "testing" | |||||
| "github.com/stretchr/testify/assert" | |||||
| ) | |||||
| func TestUpload(t *testing.T) { | |||||
| testContent := []byte(`This is a plain text file.`) | |||||
| var b bytes.Buffer | |||||
| w := gzip.NewWriter(&b) | |||||
| w.Write(testContent) | |||||
| w.Close() | |||||
| kases := []struct { | |||||
| data []byte | |||||
| allowedTypes []string | |||||
| err error | |||||
| }{ | |||||
| { | |||||
| data: testContent, | |||||
| allowedTypes: []string{"text/plain"}, | |||||
| err: nil, | |||||
| }, | |||||
| { | |||||
| data: testContent, | |||||
| allowedTypes: []string{"application/x-gzip"}, | |||||
| err: ErrFileTypeForbidden{"text/plain; charset=utf-8"}, | |||||
| }, | |||||
| { | |||||
| data: b.Bytes(), | |||||
| allowedTypes: []string{"application/x-gzip"}, | |||||
| err: nil, | |||||
| }, | |||||
| } | |||||
| for _, kase := range kases { | |||||
| assert.Equal(t, kase.err, VerifyAllowedContentType(kase.data, kase.allowedTypes)) | |||||
| } | |||||
| } | |||||