Add whitelisting for documents

2017-10-11 02:39:35 +02:00 · 2017-10-11 02:39:35 +02:00 · 8a9d7a91c9
commit 8a9d7a91c9
parent 957b347b04
5 changed files with 22 additions and 2 deletions
--- a/plugins/documents/app/controllers/documents_controller.rb
+++ b/plugins/documents/app/controllers/documents_controller.rb
@ -26,6 +26,7 @@ class DocumentsController < ApplicationController
    @document = Document.new
    @document.data = params[:document][:data].read
    @document.mime = FileMagic.new(FileMagic::MAGIC_MIME).buffer(@document.data)
+    raise t('.not_allowed_mime', mime: @document.mime) unless allowed_mime? @document.mime
    if params[:document][:name] == ''
      name = params[:document][:data].original_filename
      name = File.basename(name)
@ -56,4 +57,12 @@ class DocumentsController < ApplicationController
    @document = Document.find(params[:id])
    send_data(@document.data, filename: @document.filename, type: @document.mime)
  end
+
+  def allowed_mime?(mime)
+    whitelist = FoodsoftConfig[:documents_allowed_extension].split
+    MIME::Types.type_for(whitelist).each do |type|
+      return true if type.like? mime
+    end
+    false
+  end
 end
--- a/plugins/documents/app/overrides/admin/configs/_tab_others/add_documents_config.html.haml.deface
+++ b/plugins/documents/app/overrides/admin/configs/_tab_others/add_documents_config.html.haml.deface
@ -1,2 +1,3 @@
-/ insert_before ':root:first-child'
-= config_input form, :use_documents, as: :boolean
+/ insert_after ':root:last-child'
+= config_use_heading form, :use_documents do
+  = config_input form, :documents_allowed_extension, as: :string, input_html: {class: 'input-xlarge'}