Add whitelisting for documents

This commit is contained in:
Patrick Gansterer 2017-10-11 02:39:35 +02:00
parent 957b347b04
commit 8a9d7a91c9
5 changed files with 22 additions and 2 deletions

View file

@ -26,6 +26,7 @@ class DocumentsController < ApplicationController
@document = Document.new
@document.data = params[:document][:data].read
@document.mime = FileMagic.new(FileMagic::MAGIC_MIME).buffer(@document.data)
raise t('.not_allowed_mime', mime: @document.mime) unless allowed_mime? @document.mime
if params[:document][:name] == ''
name = params[:document][:data].original_filename
name = File.basename(name)
@ -56,4 +57,12 @@ class DocumentsController < ApplicationController
@document = Document.find(params[:id])
send_data(@document.data, filename: @document.filename, type: @document.mime)
end
def allowed_mime?(mime)
whitelist = FoodsoftConfig[:documents_allowed_extension].split
MIME::Types.type_for(whitelist).each do |type|
return true if type.like? mime
end
false
end
end

View file

@ -1,2 +1,3 @@
/ insert_before ':root:first-child'
= config_input form, :use_documents, as: :boolean
/ insert_after ':root:last-child'
= config_use_heading form, :use_documents do
= config_input form, :documents_allowed_extension, as: :string, input_html: {class: 'input-xlarge'}

View file

@ -9,14 +9,17 @@ de:
name: Name
config:
hints:
documents_allowed_extension: Eine Liste an erlaubten Dateiendungen getrennt durch Leerzeichen.
use_documents: Einfache Dokumentenverwaltung aktivieren
keys:
documents_allowed_extension: Erlaubte Endungen
use_documents: Dokumente verwenden
navigation:
documents: Dokumente
documents:
create:
error: 'Dokument konnte nicht erstellt werden: %{error}'
not_allowed_mime: Der Dateityp "%{mime}" ist nicht erlaubt. Bitte kontaktiere einen Administrator um ihn freizuschalten.
notice: Dokument wurde erstellt
destroy:
error: 'Dokument konnt nicht gelöscht werden: %{error}'

View file

@ -9,14 +9,17 @@ en:
name: Name
config:
hints:
documents_allowed_extension: A list of allowed filename extensions separated by spaces.
use_documents: Add a basic document sharing page to the foodcoop menu.
keys:
documents_allowed_extension: Allowed extensions
use_documents: Enable documents
navigation:
documents: Documents
documents:
create:
error: 'Document could not be created: %{error}'
not_allowed_mime: The filetype "%{mime}" is not allowed. Please contact an administrator to whitelist it.
notice: Document was created
destroy:
error: 'Document could not be deleted: %{error}'

View file

@ -11,5 +11,9 @@ module FoodsoftDocuments
sub_nav.items.insert(i, sub_nav.items.delete_at(-1))
end
end
def default_foodsoft_config(cfg)
cfg[:documents_allowed_extension] = 'gif jpg png txt'
end
end
end