Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add python-magic for validating mimetypes #3061

Merged
merged 2 commits into from
Jun 29, 2024
Merged

Add python-magic for validating mimetypes #3061

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7eece76
Add mime_type checks on file uploads
yunimoo May 31, 2024
af52748
Update requirements to add python-magic
yunimoo May 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions cps/editbooks.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import os
from datetime import datetime
import json
import magic
from shutil import copyfile
from uuid import uuid4
from markupsafe import escape, Markup # dependency of flask
Expand Down Expand Up @@ -757,6 +758,10 @@ def file_handling_on_upload(requested_file):
flash(_("File %(filename)s could not saved to temp dir",
filename=requested_file.filename), category="error")
return None, Response(json.dumps({"location": url_for("web.index")}), mimetype='application/json')
except (Exception):
flash(_("File is not allowed to be uploaded to this server",
filename=requested_file.filename), category="error")
return None, Response(json.dumps({"location": url_for("web.index")}), mimetype='application/json')
return meta, None


Expand Down
19 changes: 19 additions & 0 deletions cps/file_helper.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@
from tempfile import gettempdir
import os
import shutil
import magic
import zipfile
from . import constants

def get_temp_dir():
tmp_dir = os.path.join(gettempdir(), 'calibre_web')
Expand All @@ -30,3 +33,19 @@ def get_temp_dir():
def del_temp_dir():
tmp_dir = os.path.join(gettempdir(), 'calibre_web')
shutil.rmtree(tmp_dir)

def validate_mime_type(tmp_file_path):
mime = magic.Magic(mime=True)
tmp_mime_type = mime.from_file(tmp_file_path)
if any(mime_type in tmp_mime_type for mime_type in constants.EXTENSIONS_UPLOAD):
return True
# Some epubs show up as zip mimetypes
elif "zip" in tmp_mime_type:
try:
with zipfile.ZipFile(tmp_file_path, 'r') as epub:
if "mimetype" in epub.namelist():
return True
except:
pass

raise Exception("Forbidden MIME type to upload")
5 changes: 3 additions & 2 deletions cps/uploader.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
from . import logger, comic, isoLanguages
from .constants import BookMeta
from .helper import split_authors
from .file_helper import get_temp_dir
from .file_helper import get_temp_dir, validate_mime_type

log = logger.create()

Expand Down Expand Up @@ -91,7 +91,8 @@ def process(tmp_file_path, original_file_name, original_file_extension, rar_exec
meta = meta._replace(title=original_file_name)
if not meta.author.strip() or meta.author.lower() == 'unknown':
meta = meta._replace(author=_('Unknown'))
return meta
if validate_mime_type(tmp_file_path):
return meta


def default_meta(tmp_file_path, original_file_name, original_file_extension):
Expand Down
1 change: 1 addition & 0 deletions requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,4 @@ chardet>=3.0.0,<4.1.0
advocate>=1.0.0,<1.1.0
Flask-Limiter>=2.3.0,<3.6.0
regex>=2022.3.2,<2024.2.25
python-magic>=0.4.27