From 7eece7603bc7fa33913e55cfa2081f55132b5b96 Mon Sep 17 00:00:00 2001
From: yunimoo <yunimoo@nekocake.cafe>
Date: Fri, 31 May 2024 17:43:49 -0400
Subject: [PATCH 1/2] Add mime_type checks on file uploads

---
 cps/editbooks.py   |  5 +++++
 cps/file_helper.py | 19 +++++++++++++++++++
 cps/uploader.py    |  5 +++--
 3 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/cps/editbooks.py b/cps/editbooks.py
index 43309a14..5ed95595 100644
--- a/cps/editbooks.py
+++ b/cps/editbooks.py
@@ -23,6 +23,7 @@
 import os
 from datetime import datetime
 import json
+import magic
 from shutil import copyfile
 from uuid import uuid4
 from markupsafe import escape, Markup  # dependency of flask
@@ -757,6 +758,10 @@ def file_handling_on_upload(requested_file):
         flash(_("File %(filename)s could not saved to temp dir",
                 filename=requested_file.filename), category="error")
         return None, Response(json.dumps({"location": url_for("web.index")}), mimetype='application/json')
+    except (Exception):
+        flash(_("File is not allowed to be uploaded to this server",
+                filename=requested_file.filename), category="error")
+        return None, Response(json.dumps({"location": url_for("web.index")}), mimetype='application/json')
     return meta, None
 
 
diff --git a/cps/file_helper.py b/cps/file_helper.py
index 7c3e5291..6160eb70 100644
--- a/cps/file_helper.py
+++ b/cps/file_helper.py
@@ -19,6 +19,9 @@
 from tempfile import gettempdir
 import os
 import shutil
+import magic
+import zipfile
+from . import constants
 
 def get_temp_dir():
     tmp_dir = os.path.join(gettempdir(), 'calibre_web')
@@ -30,3 +33,19 @@ def get_temp_dir():
 def del_temp_dir():
     tmp_dir = os.path.join(gettempdir(), 'calibre_web')
     shutil.rmtree(tmp_dir)
+
+def validate_mime_type(tmp_file_path):
+    mime = magic.Magic(mime=True)
+    tmp_mime_type = mime.from_file(tmp_file_path)
+    if any(mime_type in tmp_mime_type for mime_type in constants.EXTENSIONS_UPLOAD):
+        return True
+    # Some epubs show up as zip mimetypes
+    elif "zip" in tmp_mime_type:
+        try:
+            with zipfile.ZipFile(tmp_file_path, 'r') as epub:
+                if "mimetype" in epub.namelist():
+                    return True
+        except:
+            pass
+    
+    raise Exception("Forbidden MIME type to upload")
diff --git a/cps/uploader.py b/cps/uploader.py
index 8f20762f..c2ebd96b 100644
--- a/cps/uploader.py
+++ b/cps/uploader.py
@@ -23,7 +23,7 @@ from flask_babel import gettext as _
 from . import logger, comic, isoLanguages
 from .constants import BookMeta
 from .helper import split_authors
-from .file_helper import get_temp_dir
+from .file_helper import get_temp_dir, validate_mime_type
 
 log = logger.create()
 
@@ -91,7 +91,8 @@ def process(tmp_file_path, original_file_name, original_file_extension, rar_exec
         meta = meta._replace(title=original_file_name)
     if not meta.author.strip() or meta.author.lower() == 'unknown':
         meta = meta._replace(author=_('Unknown'))
-    return meta
+    if validate_mime_type(tmp_file_path):
+        return meta
 
 
 def default_meta(tmp_file_path, original_file_name, original_file_extension):

From af52748acaa18a2b00585508222c7f884b1dc9f6 Mon Sep 17 00:00:00 2001
From: yunimoo <yunimoo@nekocake.cafe>
Date: Fri, 31 May 2024 17:44:05 -0400
Subject: [PATCH 2/2] Update requirements to add python-magic

---
 requirements.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/requirements.txt b/requirements.txt
index 7bb5ff3d..dd89dead 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -19,3 +19,4 @@ chardet>=3.0.0,<4.1.0
 advocate>=1.0.0,<1.1.0
 Flask-Limiter>=2.3.0,<3.6.0
 regex>=2022.3.2,<2024.2.25
+python-magic>=0.4.27