Add whitelisting for documents

2017-10-11 02:39:35 +02:00 · 2017-10-11 02:39:35 +02:00 · 8a9d7a91c9
commit 8a9d7a91c9
parent 957b347b04
5 changed files with 22 additions and 2 deletions
--- a/plugins/documents/app/controllers/documents_controller.rb
+++ b/plugins/documents/app/controllers/documents_controller.rb
@ -26,6 +26,7 @@ class DocumentsController < ApplicationController
    @document = Document.new
    @document.data = params[:document][:data].read
    @document.mime = FileMagic.new(FileMagic::MAGIC_MIME).buffer(@document.data)
+    raise t('.not_allowed_mime', mime: @document.mime) unless allowed_mime? @document.mime
    if params[:document][:name] == ''
      name = params[:document][:data].original_filename
      name = File.basename(name)
@ -56,4 +57,12 @@ class DocumentsController < ApplicationController
    @document = Document.find(params[:id])
    send_data(@document.data, filename: @document.filename, type: @document.mime)
  end
+
+  def allowed_mime?(mime)
+    whitelist = FoodsoftConfig[:documents_allowed_extension].split
+    MIME::Types.type_for(whitelist).each do |type|
+      return true if type.like? mime
+    end
+    false
+  end
 end
--- a/plugins/documents/app/overrides/admin/configs/_tab_others/add_documents_config.html.haml.deface
+++ b/plugins/documents/app/overrides/admin/configs/_tab_others/add_documents_config.html.haml.deface
@ -1,2 +1,3 @@
-/ insert_before ':root:first-child'
-= config_input form, :use_documents, as: :boolean
+/ insert_after ':root:last-child'
+= config_use_heading form, :use_documents do
+  = config_input form, :documents_allowed_extension, as: :string, input_html: {class: 'input-xlarge'}
--- a/plugins/documents/config/locales/de.yml
+++ b/plugins/documents/config/locales/de.yml
@ -9,14 +9,17 @@ de:
        name: Name
  config:
    hints:
+      documents_allowed_extension: Eine Liste an erlaubten Dateiendungen getrennt durch Leerzeichen.
      use_documents: Einfache Dokumentenverwaltung aktivieren
    keys:
+      documents_allowed_extension: Erlaubte Endungen
      use_documents: Dokumente verwenden
  navigation:
    documents: Dokumente
  documents:
    create:
      error: 'Dokument konnte nicht erstellt werden: %{error}'
+      not_allowed_mime: Der Dateityp "%{mime}" ist nicht erlaubt. Bitte kontaktiere einen Administrator um ihn freizuschalten.
      notice: Dokument wurde erstellt
    destroy:
      error: 'Dokument konnt nicht gelöscht werden: %{error}'
--- a/plugins/documents/config/locales/en.yml
+++ b/plugins/documents/config/locales/en.yml
@ -9,14 +9,17 @@ en:
        name: Name
  config:
    hints:
+      documents_allowed_extension: A list of allowed filename extensions separated by spaces.
      use_documents: Add a basic document sharing page to the foodcoop menu.
    keys:
+      documents_allowed_extension: Allowed extensions
      use_documents: Enable documents
  navigation:
    documents: Documents
  documents:
    create:
      error: 'Document could not be created: %{error}'
+      not_allowed_mime: The filetype "%{mime}" is not allowed. Please contact an administrator to whitelist it.
      notice: Document was created
    destroy:
      error: 'Document could not be deleted: %{error}'
--- a/plugins/documents/lib/foodsoft_documents/engine.rb
+++ b/plugins/documents/lib/foodsoft_documents/engine.rb
@ -11,5 +11,9 @@ module FoodsoftDocuments
        sub_nav.items.insert(i, sub_nav.items.delete_at(-1))
      end
    end
+
+    def default_foodsoft_config(cfg)
+      cfg[:documents_allowed_extension] = 'gif jpg png txt'
+    end
  end
 end