From 8b76b4910d1e6a135a0856ba1704a71cbde66988 Mon Sep 17 00:00:00 2001 From: monodo Date: Tue, 21 May 2024 12:24:35 +0200 Subject: [PATCH] back check for additional file extension restrictions --- geocity/apps/submissions/models.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/geocity/apps/submissions/models.py b/geocity/apps/submissions/models.py index c1ec15181..78f92d856 100644 --- a/geocity/apps/submissions/models.py +++ b/geocity/apps/submissions/models.py @@ -726,6 +726,7 @@ def set_field_value(self, form, field, value): existing_value_obj.delete() else: if is_file: + # Use private storage to prevent uploaded files exposition to the outside world private_storage = fields.PrivateFileSystemStorage() # If the given File has a `url` attribute, it means the value comes from the `initial` form data, so the @@ -758,7 +759,21 @@ def set_field_value(self, form, field, value): directory, "{}_{}_{}{}".format(form.pk, field.pk, file_uuid, ext) ) + # Check that extension is allowed in field configuration if additional restriction is defined in admin + if field.allowed_file_types: + if upper_ext not in field.allowed_file_types.upper(): + logger.warning( + f"Attempt to upload unauthorized file type for file ({value.name})" + ) + # FIXME: send the validation error correctly to the form as this will in fact only raise a generic error to the user + raise ValidationError( + _( + f"L'extension du fichier n'est pas autorisé pour ce document" + ) + ) + private_storage.save(path, value) + # Postprocess images: remove all exif metadata from for better security and user privacy if upper_ext != "PDF": upper_ext = ext[1:].upper()