From 6776eadcd66b2dd7c6738635dae174601adb13ac Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Fri, 16 Aug 2019 20:52:19 +0800 Subject: [PATCH 1/3] fix upload file type check --- modules/upload/filetype.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/upload/filetype.go b/modules/upload/filetype.go index 1ec7324ed3196..e4b33f4b4fe29 100644 --- a/modules/upload/filetype.go +++ b/modules/upload/filetype.go @@ -34,7 +34,10 @@ func VerifyAllowedContentType(buf []byte, allowedTypes []string) error { allowed := false for _, t := range allowedTypes { t := strings.Trim(t, " ") - if t == "*/*" || t == fileType { + + if t == "*/*" || t == fileType || + // allowed text/plain; charset=utf-8 + strings.HasPrefix(fileType, t+";") { allowed = true break } From e5a92d3d4f68dd3db7f4b38de158232052b2faa5 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Fri, 16 Aug 2019 23:50:59 +0800 Subject: [PATCH 2/3] make the function simple and added tests --- modules/upload/filetype.go | 12 +++------ modules/upload/filetype_test.go | 47 +++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 9 deletions(-) create mode 100644 modules/upload/filetype_test.go diff --git a/modules/upload/filetype.go b/modules/upload/filetype.go index e4b33f4b4fe29..be92d997ed666 100644 --- a/modules/upload/filetype.go +++ b/modules/upload/filetype.go @@ -31,22 +31,16 @@ func (err ErrFileTypeForbidden) Error() string { func VerifyAllowedContentType(buf []byte, allowedTypes []string) error { fileType := http.DetectContentType(buf) - allowed := false for _, t := range allowedTypes { t := strings.Trim(t, " ") if t == "*/*" || t == fileType || // allowed text/plain; charset=utf-8 strings.HasPrefix(fileType, t+";") { - allowed = true - break + return nil } } - if !allowed { - log.Info("Attachment with type %s blocked from upload", fileType) - return ErrFileTypeForbidden{Type: fileType} - } - - return nil + log.Info("Attachment with type %s blocked from upload", fileType) + return ErrFileTypeForbidden{Type: fileType} } diff --git a/modules/upload/filetype_test.go b/modules/upload/filetype_test.go new file mode 100644 index 0000000000000..f93a1c5cc3bc3 --- /dev/null +++ b/modules/upload/filetype_test.go @@ -0,0 +1,47 @@ +// Copyright 2019 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package upload + +import ( + "bytes" + "compress/gzip" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestUpload(t *testing.T) { + testContent := []byte(`This is a plain text file.`) + var b bytes.Buffer + w := gzip.NewWriter(&b) + w.Write(testContent) + w.Close() + + kases := []struct { + data []byte + allowedTypes []string + err error + }{ + { + data: testContent, + allowedTypes: []string{"text/plain"}, + err: nil, + }, + { + data: testContent, + allowedTypes: []string{"application/x-gzip"}, + err: ErrFileTypeForbidden{"text/plain; charset=utf-8"}, + }, + { + data: b.Bytes(), + allowedTypes: []string{"application/x-gzip"}, + err: nil, + }, + } + + for _, kase := range kases { + assert.Equal(t, kase.err, VerifyAllowedContentType(kase.data, kase.allowedTypes)) + } +} From 152de7611876b7f0854f3964f0de4b0c21928edd Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sat, 17 Aug 2019 09:47:11 +0100 Subject: [PATCH 3/3] Update comment as per @silverwind --- modules/upload/filetype.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/upload/filetype.go b/modules/upload/filetype.go index be92d997ed666..2ab326d11690f 100644 --- a/modules/upload/filetype.go +++ b/modules/upload/filetype.go @@ -35,7 +35,7 @@ func VerifyAllowedContentType(buf []byte, allowedTypes []string) error { t := strings.Trim(t, " ") if t == "*/*" || t == fileType || - // allowed text/plain; charset=utf-8 + // Allow directives after type, like 'text/plain; charset=utf-8' strings.HasPrefix(fileType, t+";") { return nil }