Commit 99f79264 authored by Yuri Konotopov's avatar Yuri Konotopov

extensions: restrict accepted images types

parent dabeaa71
Pipeline #185943 passed with stage
in 6 minutes and 45 seconds
"""
GNOME Shell Extensions Repository
Copyright (C) 2020 Yuri Konotopov <ykonotopov@gnome.org>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
"""
from django.core.exceptions import ValidationError
from django.forms.fields import ImageField
class RestrictedImageField(ImageField):
def __init__(self, *, allowed_types=["gif", "jpeg", "png", "webp"], **kwargs):
self.allowed_types = allowed_types
super().__init__(**kwargs)
def to_python(self, data):
f = super().to_python(data)
if f is None or f.image is None:
return None
if f.image.format is None or not f.image.format.lower() in self.allowed_types:
raise ValidationError(
self.error_messages['invalid_image'],
code='invalid_image_type',
)
if hasattr(f, 'seek') and callable(f.seek):
f.seek(0)
return f
"""
GNOME Shell Extensions Repository
Copyright (C) 2011 Jasper St. Pierre <jstpierre@mecheye.net>
Copyright (C) 2020 Yuri Konotopov <ykonotopov@gnome.org>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
"""
from django import forms
from django.core.validators import FileExtensionValidator
from .form_fields import RestrictedImageField
class UploadForm(forms.Form):
source = forms.FileField(required=True)
......@@ -23,5 +36,11 @@ I agree that GNOME Shell Extensions can remove, modify or reassign maintainershi
raise forms.ValidationError("You must agree to the GNOME Shell Extensions terms of service.")
return tos_compliant
class ImageUploadForm(forms.Form):
file = forms.ImageField(required=True)
allowed_types = ["gif", "jpg", "jpeg", "png", "webp"]
file = RestrictedImageField(
required=True,
allowed_types=allowed_types,
validators=[FileExtensionValidator(allowed_types)]
)
"""
GNOME Shell Extensions Repository
Copyright (C) 2011-2013 Jasper St. Pierre <jstpierre@mecheye.net>
Copyright (C) 2019 Claude Paroz <claude@2xlibre.net>
Copyright (C) 2016-2020 Yuri Konotopov <ykonotopov@gnome.org>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
"""
import autoslug
import json
import os
import re
import zlib
from zipfile import ZipFile, BadZipfile
......@@ -8,10 +23,6 @@ from django.db import models
from django.dispatch import Signal
from django.urls import reverse
import autoslug
import re
import zlib
(STATUS_UNREVIEWED,
STATUS_REJECTED,
STATUS_INACTIVE,
......@@ -82,11 +93,13 @@ def build_shell_version_array(versions):
def make_screenshot_filename(obj, filename=None):
return "screenshots/screenshot_%d.png" % (obj.pk,)
ext = os.path.splitext(filename)[1].lower()
return "screenshots/screenshot_%d%s" % (obj.pk, ext)
def make_icon_filename(obj, filename=None):
return "icons/icon_%d.png" % (obj.pk,)
ext = os.path.splitext(filename)[1].lower()
return "icons/icon_%d%s" % (obj.pk, ext)
class Extension(models.Model):
......
"""
GNOME Shell Extensions Repository
Copyright (C) 2011-2016 Jasper St. Pierre <jstpierre@mecheye.net>
Copyright (C) 2016-2020 Yuri Konotopov <ykonotopov@gnome.org>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
"""
import json
from math import ceil
......@@ -7,7 +17,7 @@ from django.core.paginator import Paginator, InvalidPage
from django.contrib.auth.decorators import login_required
from django.contrib import messages
from django.db import transaction
from django.http import HttpResponse, HttpResponseBadRequest, HttpResponseForbidden, HttpResponseServerError, Http404
from django.http import JsonResponse, HttpResponse, HttpResponseBadRequest, HttpResponseForbidden, HttpResponseServerError, Http404
from django.shortcuts import get_object_or_404, redirect, render
from django.template.loader import render_to_string
from django.views.decorators.http import require_POST
......@@ -348,8 +358,11 @@ def validate_uploaded_image(request, extension):
form = ImageUploadForm(request.POST, request.FILES)
if not form.is_valid() or form.cleaned_data['file'].size > 2*1024*1024:
return HttpResponseForbidden()
if not form.is_valid():
return JsonResponse(form.errors.get_json_data(), status=403)
if form.cleaned_data['file'].size > 2*1024*1024:
return HttpResponseForbidden(content="Too big image")
return form.cleaned_data['file']
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment