mirror of
https://github.com/mediacms-io/mediacms.git
synced 2024-11-28 03:03:26 +01:00
add validation to files uploading to avoid client side pushing arbitrary data (#1057)
This commit is contained in:
parent
1adee8c156
commit
986c7d1074
@ -1,4 +1,7 @@
|
|||||||
|
import re
|
||||||
import shutil
|
import shutil
|
||||||
|
import os
|
||||||
|
import uuid
|
||||||
from io import StringIO
|
from io import StringIO
|
||||||
from os.path import join
|
from os.path import join
|
||||||
|
|
||||||
@ -7,16 +10,31 @@ from django.conf import settings
|
|||||||
from . import utils
|
from . import utils
|
||||||
|
|
||||||
|
|
||||||
|
def is_valid_uuid_format(uuid_string):
|
||||||
|
pattern = re.compile(r'^[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89ab][a-f0-9]{3}-[a-f0-9]{12}$', re.IGNORECASE)
|
||||||
|
return bool(pattern.match(uuid_string))
|
||||||
|
|
||||||
|
|
||||||
class BaseFineUploader(object):
|
class BaseFineUploader(object):
|
||||||
def __init__(self, data, *args, **kwargs):
|
def __init__(self, data, *args, **kwargs):
|
||||||
self.data = data
|
self.data = data
|
||||||
self.total_filesize = data.get("qqtotalfilesize")
|
|
||||||
self.filename = data.get("qqfilename")
|
self.filename = data.get("qqfilename")
|
||||||
self.uuid = data.get("qquuid")
|
self.uuid = data.get("qquuid")
|
||||||
|
|
||||||
|
if not is_valid_uuid_format(self.uuid):
|
||||||
|
# something nasty client side could be happening here
|
||||||
|
# generate new uuid to ensure this is uuid
|
||||||
|
# not sure if this will work with the chunked uploads though
|
||||||
|
self.uuid = uuid.uuid4()
|
||||||
|
|
||||||
|
self.filename = os.path.basename(self.filename)
|
||||||
|
# avoid possibility of passing a fake path here
|
||||||
|
|
||||||
self.file = data.get("qqfile")
|
self.file = data.get("qqfile")
|
||||||
self.storage_class = settings.FILE_STORAGE
|
self.storage_class = settings.FILE_STORAGE
|
||||||
self.real_path = None
|
self.real_path = None
|
||||||
|
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def finished(self):
|
def finished(self):
|
||||||
return self.real_path is not None
|
return self.real_path is not None
|
||||||
@ -50,7 +68,11 @@ class ChunkedFineUploader(BaseFineUploader):
|
|||||||
self.total_parts = data.get("qqtotalparts")
|
self.total_parts = data.get("qqtotalparts")
|
||||||
if not isinstance(self.total_parts, int):
|
if not isinstance(self.total_parts, int):
|
||||||
self.total_parts = 1
|
self.total_parts = 1
|
||||||
self.part_index = data.get("qqpartindex")
|
qqpartindex = data.get("qqpartindex")
|
||||||
|
if not isinstance(qqpartindex, int):
|
||||||
|
# something nasty client side could be happening here
|
||||||
|
qqpartindex = 0
|
||||||
|
self.part_index = qqpartindex
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def chunks_path(self):
|
def chunks_path(self):
|
||||||
@ -75,6 +97,7 @@ class ChunkedFineUploader(BaseFineUploader):
|
|||||||
def combine_chunks(self):
|
def combine_chunks(self):
|
||||||
# implement the same behaviour.
|
# implement the same behaviour.
|
||||||
self.real_path = self.storage.save(self._full_file_path, StringIO())
|
self.real_path = self.storage.save(self._full_file_path, StringIO())
|
||||||
|
|
||||||
with self.storage.open(self.real_path, "wb") as final_file:
|
with self.storage.open(self.real_path, "wb") as final_file:
|
||||||
for i in range(self.total_parts):
|
for i in range(self.total_parts):
|
||||||
part = join(self.chunks_path, str(i))
|
part = join(self.chunks_path, str(i))
|
||||||
|
Loading…
Reference in New Issue
Block a user