Changeset 8068f6d


Ignore:
Timestamp:
Sep 8, 2012, 6:59:18 PM (13 years ago)
Author:
Alex Dehnert <adehnert@…>
Branches:
master, space-access, stable, stage
Children:
2e5dc1b
Parents:
26fd6cf
git-author:
Alex Dehnert <adehnert@…> (09/08/12 17:13:36)
git-committer:
Alex Dehnert <adehnert@…> (09/08/12 18:59:18)
Message:

Limit and canonicalize constitution file extensions

This makes it plausibly safe to serve the directory containing the
constitutions from a web server that supports PHP or CGI or whatnot. However,
note that HTML (and other file contents) isn't sanitized at all, so serving
them up on an origin you care about (eg, https://asa.mit.edu/constitutions/...)
would be quite ill-advised.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • asadb/groups/models.py

    ra03cb61 r8068f6d  
    183183    def compute_filename(self, tmp_path, headers, ):
    184184        slug = self.group.slug()
     185        known_ext = set([
     186            '.pdf',
     187            '.ps',
     188            '.doc',
     189            '.rtf',
     190            '.html',
     191            '.tex',
     192            '.txt'
     193        ])
    185194        basename, fileext = os.path.splitext(tmp_path)
    186195        if fileext:
     
    188197        else:
    189198            if headers.getheader('Content-Type'):
    190                 mimeext = mimetypes.guess_extension(headers.gettype())
    191                 if mimeext:
    192                     ext = mimeext
     199                extensions = mimetypes.guess_all_extensions(headers.gettype())
     200                for extension in extensions:
     201                    if extension in known_ext:
     202                        ext = extension
     203                        break
    193204                else:
    194                     ext = ''
     205                    if len(extensions) > 0:
     206                        ext = extensions[0]
     207                    else:
     208                        ext = ''
    195209            else:
    196210                ext = ''
     211
     212        extmap = {
     213            '.htm': '.html',
     214            '.php': '.html',
     215            '.PS':  '.ps',
     216            '.shtml':   '.html',
     217            '.text':    '.txt',
     218        }
     219        # we have no real handling of no extension, .old, and .ksh
     220        if ext in extmap: ext = extmap[ext]
     221        if ext not in known_ext: ext = ext + '.unknown'
     222
    197223        return "%04d-%s%s" % (self.group.pk, slug, ext, )
    198224
Note: See TracChangeset for help on using the changeset viewer.