Foodsoft/foodsoft
1
1
Fork 0
Code Issues 36 Pull requests 5 Projects 1 Releases Wiki Activity

Add whitelisting for documents

Browse source
This commit is contained in:
Patrick Gansterer 2017-10-11 02:39:35 +02:00
parent 957b347b04
commit 8a9d7a91c9
5 changed files with 22 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

9
plugins/documents/app/controllers/documents_controller.rb
View file

@ -26,6 +26,7 @@ class DocumentsController < ApplicationController
@document = Document.new
@document.data = params[:document][:data].read
@document.mime = FileMagic.new(FileMagic::MAGIC_MIME).buffer(@document.data)
raise t('.not_allowed_mime', mime: @document.mime) unless allowed_mime? @document.mime
if params[:document][:name] == ''
name = params[:document][:data].original_filename
name = File.basename(name)
@ -56,4 +57,12 @@ class DocumentsController < ApplicationController
@document = Document.find(params[:id])
send_data(@document.data, filename: @document.filename, type: @document.mime)
end
def allowed_mime?(mime)
whitelist = FoodsoftConfig[:documents_allowed_extension].split
MIME::Types.type_for(whitelist).each do |type|
return true if type.like? mime
end
false
end
end