Add mime_type checks on file uploads

janeczku · May 31, 2024 · 7eece76 · 7eece76
1 parent 014a247
commit 7eece76
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 2 deletions.
diff --git a/cps/editbooks.py b/cps/editbooks.py
@@ -23,6 +23,7 @@
 import os
 from datetime import datetime
 import json
+import magic
 from shutil import copyfile
 from uuid import uuid4
 from markupsafe import escape, Markup  # dependency of flask
@@ -757,6 +758,10 @@ def file_handling_on_upload(requested_file):
         flash(_("File %(filename)s could not saved to temp dir",
                 filename=requested_file.filename), category="error")
         return None, Response(json.dumps({"location": url_for("web.index")}), mimetype='application/json')
+    except (Exception):
+        flash(_("File is not allowed to be uploaded to this server",
+                filename=requested_file.filename), category="error")
+        return None, Response(json.dumps({"location": url_for("web.index")}), mimetype='application/json')
     return meta, None
 
 

diff --git a/cps/file_helper.py b/cps/file_helper.py
@@ -19,6 +19,9 @@
 from tempfile import gettempdir
 import os
 import shutil
+import magic
+import zipfile
+from . import constants
 
 def get_temp_dir():
     tmp_dir = os.path.join(gettempdir(), 'calibre_web')
@@ -30,3 +33,19 @@ def get_temp_dir():
 def del_temp_dir():
     tmp_dir = os.path.join(gettempdir(), 'calibre_web')
     shutil.rmtree(tmp_dir)
+
+def validate_mime_type(tmp_file_path):
+    mime = magic.Magic(mime=True)
+    tmp_mime_type = mime.from_file(tmp_file_path)
+    if any(mime_type in tmp_mime_type for mime_type in constants.EXTENSIONS_UPLOAD):
+        return True
+    # Some epubs show up as zip mimetypes
+    elif "zip" in tmp_mime_type:
+        try:
+            with zipfile.ZipFile(tmp_file_path, 'r') as epub:
+                if "mimetype" in epub.namelist():
+                    return True
+        except:
+            pass
+
+    raise Exception("Forbidden MIME type to upload")
diff --git a/cps/uploader.py b/cps/uploader.py
@@ -23,7 +23,7 @@
 from . import logger, comic, isoLanguages
 from .constants import BookMeta
 from .helper import split_authors
-from .file_helper import get_temp_dir
+from .file_helper import get_temp_dir, validate_mime_type
 
 log = logger.create()
 
@@ -91,7 +91,8 @@ def process(tmp_file_path, original_file_name, original_file_extension, rar_exec
         meta = meta._replace(title=original_file_name)
     if not meta.author.strip() or meta.author.lower() == 'unknown':
         meta = meta._replace(author=_('Unknown'))
-    return meta
+    if validate_mime_type(tmp_file_path):
+        return meta
 
 
 def default_meta(tmp_file_path, original_file_name, original_file_extension):