Browse Source

Added MIME Type filter for file uploads to prevent dangerous uploads.

1.0
Gisle Aune 7 years ago
parent
commit
1156375b11
  1. 17
      model/file/file.go

17
model/file/file.go

@ -100,6 +100,10 @@ func Insert(name, kind, mimeType, author string, time time.Time, size int64, url
// Upload adds a file to the space. // Upload adds a file to the space.
func Upload(ctx context.Context, name, mimeType, author string, size int64, input io.Reader) (File, error) { func Upload(ctx context.Context, name, mimeType, author string, size int64, input io.Reader) (File, error) {
if !allowdMimeTypes[mimeType] {
return File{}, errors.New("File type not allowed:" + mimeType)
}
if name == "" { if name == "" {
date := time.Now().UTC().Format("Jan 02 2006 15:04:05 MST") date := time.Now().UTC().Format("Jan 02 2006 15:04:05 MST")
name = "Unnamed file (" + date + ")" name = "Unnamed file (" + date + ")"
@ -233,3 +237,16 @@ func init() {
fileCollection.EnsureIndexKey("kind") fileCollection.EnsureIndexKey("kind")
}) })
} }
var allowdMimeTypes = map[string]bool{
"": false,
"image/jpeg": true,
"image/png": true,
"image/gif": true,
"text/plain": true,
"application/json": true,
"application/pdf": false,
"binary/octet-stream": false,
"video/mp4": false,
"audio/mp3": false,
}
Loading…
Cancel
Save