Add mime_type checks on file uploads

2024-05-31 17:43:49 -04:00 · 2024-05-31 17:43:49 -04:00 · 7eece7603b
commit 7eece7603b
parent 014a247847
3 changed files with 27 additions and 2 deletions
--- a/cps/editbooks.py
+++ b/cps/editbooks.py
@ -23,6 +23,7 @@
 import os
 from datetime import datetime
 import json
+import magic
 from shutil import copyfile
 from uuid import uuid4
 from markupsafe import escape, Markup  # dependency of flask
@ -757,6 +758,10 @@ def file_handling_on_upload(requested_file):
        flash(_("File %(filename)s could not saved to temp dir",
                filename=requested_file.filename), category="error")
        return None, Response(json.dumps({"location": url_for("web.index")}), mimetype='application/json')
+    except (Exception):
+        flash(_("File is not allowed to be uploaded to this server",
+                filename=requested_file.filename), category="error")
+        return None, Response(json.dumps({"location": url_for("web.index")}), mimetype='application/json')
    return meta, None


--- a/cps/file_helper.py
+++ b/cps/file_helper.py
@ -19,6 +19,9 @@
 from tempfile import gettempdir
 import os
 import shutil
+import magic
+import zipfile
+from . import constants

 def get_temp_dir():
    tmp_dir = os.path.join(gettempdir(), 'calibre_web')
@ -30,3 +33,19 @@ def get_temp_dir():
 def del_temp_dir():
    tmp_dir = os.path.join(gettempdir(), 'calibre_web')
    shutil.rmtree(tmp_dir)
+
+def validate_mime_type(tmp_file_path):
+    mime = magic.Magic(mime=True)
+    tmp_mime_type = mime.from_file(tmp_file_path)
+    if any(mime_type in tmp_mime_type for mime_type in constants.EXTENSIONS_UPLOAD):
+        return True
+    # Some epubs show up as zip mimetypes
+    elif "zip" in tmp_mime_type:
+        try:
+            with zipfile.ZipFile(tmp_file_path, 'r') as epub:
+                if "mimetype" in epub.namelist():
+                    return True
+        except:
+            pass
+    
+    raise Exception("Forbidden MIME type to upload")
--- a/cps/uploader.py
+++ b/cps/uploader.py
@ -23,7 +23,7 @@ from flask_babel import gettext as _
 from . import logger, comic, isoLanguages
 from .constants import BookMeta
 from .helper import split_authors
-from .file_helper import get_temp_dir
+from .file_helper import get_temp_dir, validate_mime_type

 log = logger.create()

@ -91,7 +91,8 @@ def process(tmp_file_path, original_file_name, original_file_extension, rar_exec
        meta = meta._replace(title=original_file_name)
    if not meta.author.strip() or meta.author.lower() == 'unknown':
        meta = meta._replace(author=_('Unknown'))
-    return meta
+    if validate_mime_type(tmp_file_path):
+        return meta


 def default_meta(tmp_file_path, original_file_name, original_file_extension):