Commit b8cc9d7f1a7af82d6591b0d46dcb9a7e0ea30206
Exists in
master
and in
22 other branches
Merge commit 'refs/merge-requests/13' of git://gitorious.org/noosfero/noosfero i…
…nto merge-requests/13
Showing
10 changed files
with
59 additions
and
0 deletions
Show diff stats
app/models/environment.rb
| @@ -9,6 +9,13 @@ class Environment < ActiveRecord::Base | @@ -9,6 +9,13 @@ class Environment < ActiveRecord::Base | ||
| 9 | 9 | ||
| 10 | has_many :tasks, :dependent => :destroy, :as => 'target' | 10 | has_many :tasks, :dependent => :destroy, :as => 'target' |
| 11 | 11 | ||
| 12 | + IDENTIFY_SCRIPTS = /(?:php[0-9s]?(\..*)?|[sp]htm[l]?(\..*)?|pl|py|cgi|rb)/ | ||
| 13 | + | ||
| 14 | + def self.verify_filename(filename) | ||
| 15 | + filename += '.txt' if filename =~ IDENTIFY_SCRIPTS | ||
| 16 | + return filename | ||
| 17 | + end | ||
| 18 | + | ||
| 12 | PERMISSIONS['Environment'] = { | 19 | PERMISSIONS['Environment'] = { |
| 13 | 'view_environment_admin_panel' => N_('View environment admin panel'), | 20 | 'view_environment_admin_panel' => N_('View environment admin panel'), |
| 14 | 'edit_environment_features' => N_('Edit environment features'), | 21 | 'edit_environment_features' => N_('Edit environment features'), |
app/models/image.rb
| @@ -4,6 +4,8 @@ class Image < ActiveRecord::Base | @@ -4,6 +4,8 @@ class Image < ActiveRecord::Base | ||
| 4 | Image.attachment_options[:max_size] | 4 | Image.attachment_options[:max_size] |
| 5 | end | 5 | end |
| 6 | 6 | ||
| 7 | + sanitize_filename | ||
| 8 | + | ||
| 7 | has_attachment :content_type => :image, | 9 | has_attachment :content_type => :image, |
| 8 | :storage => :file_system, | 10 | :storage => :file_system, |
| 9 | :path_prefix => 'public/image_uploads', | 11 | :path_prefix => 'public/image_uploads', |
app/models/thumbnail.rb
| @@ -3,5 +3,7 @@ class Thumbnail < ActiveRecord::Base | @@ -3,5 +3,7 @@ class Thumbnail < ActiveRecord::Base | ||
| 3 | :content_type => :image, :max_size => 5.megabytes | 3 | :content_type => :image, :max_size => 5.megabytes |
| 4 | validates_as_attachment | 4 | validates_as_attachment |
| 5 | 5 | ||
| 6 | + sanitize_filename | ||
| 7 | + | ||
| 6 | postgresql_attachment_fu | 8 | postgresql_attachment_fu |
| 7 | end | 9 | end |
app/models/uploaded_file.rb
| @@ -18,6 +18,8 @@ class UploadedFile < Article | @@ -18,6 +18,8 @@ class UploadedFile < Article | ||
| 18 | 18 | ||
| 19 | validates_size_of :title, :maximum => 60, :if => (lambda { |file| !file.title.blank? }) | 19 | validates_size_of :title, :maximum => 60, :if => (lambda { |file| !file.title.blank? }) |
| 20 | 20 | ||
| 21 | + sanitize_filename | ||
| 22 | + | ||
| 21 | before_create do |uploaded_file| | 23 | before_create do |uploaded_file| |
| 22 | uploaded_file.is_image = true if uploaded_file.image? | 24 | uploaded_file.is_image = true if uploaded_file.image? |
| 23 | end | 25 | end |
| @@ -0,0 +1 @@ | @@ -0,0 +1 @@ | ||
| 1 | +require 'upload_sanitizer' |
| @@ -0,0 +1,13 @@ | @@ -0,0 +1,13 @@ | ||
| 1 | +module UploadSanitizer | ||
| 2 | + def self.included(base) | ||
| 3 | + base.extend(ClassMethods) | ||
| 4 | + end | ||
| 5 | + | ||
| 6 | + module ClassMethods | ||
| 7 | + def sanitize_filename | ||
| 8 | + before_create { |file| file.filename = Environment.verify_filename(file.filename) } | ||
| 9 | + end | ||
| 10 | + end | ||
| 11 | +end | ||
| 12 | + | ||
| 13 | +ActiveRecord::Base.send(:include, UploadSanitizer) |
test/unit/environment_test.rb
| @@ -1123,4 +1123,21 @@ class EnvironmentTest < Test::Unit::TestCase | @@ -1123,4 +1123,21 @@ class EnvironmentTest < Test::Unit::TestCase | ||
| 1123 | assert_no_match /9999/, env.default_hostname | 1123 | assert_no_match /9999/, env.default_hostname |
| 1124 | end | 1124 | end |
| 1125 | 1125 | ||
| 1126 | + should 'identify scripts with regex' do | ||
| 1127 | + scripts_extensions = %w[php php1 php4 phps php.bli cgi shtm phtm shtml phtml pl py rb] | ||
| 1128 | + name = 'uploaded_file' | ||
| 1129 | + scripts_extensions.each do |extension| | ||
| 1130 | + assert_not_nil name+'.'+extension =~ Environment::IDENTIFY_SCRIPTS | ||
| 1131 | + end | ||
| 1132 | + end | ||
| 1133 | + | ||
| 1134 | + should 'verify filename and append .txt if script' do | ||
| 1135 | + scripts_extensions = %w[php php1 php4 phps php.bli cgi shtm phtm shtml phtml pl py rb] | ||
| 1136 | + name = 'uploaded_file' | ||
| 1137 | + scripts_extensions.each do |extension| | ||
| 1138 | + filename = name+'.'+extension | ||
| 1139 | + assert_equal filename+'.txt', Environment.verify_filename(filename) | ||
| 1140 | + end | ||
| 1141 | + end | ||
| 1142 | + | ||
| 1126 | end | 1143 | end |
test/unit/image_test.rb
| @@ -118,4 +118,9 @@ class ImageTest < Test::Unit::TestCase | @@ -118,4 +118,9 @@ class ImageTest < Test::Unit::TestCase | ||
| 118 | file.destroy | 118 | file.destroy |
| 119 | end | 119 | end |
| 120 | 120 | ||
| 121 | + should 'not allow script files to be uploaded without append .txt in the end' do | ||
| 122 | + file = Image.create!(:uploaded_data => fixture_file_upload('files/hello_world.php', 'image/png')) | ||
| 123 | + assert_equal 'hello_world.php.txt', file.filename | ||
| 124 | + end | ||
| 125 | + | ||
| 121 | end | 126 | end |
test/unit/thumbnail_test.rb
| @@ -9,5 +9,10 @@ class ThumbnailTest < Test::Unit::TestCase | @@ -9,5 +9,10 @@ class ThumbnailTest < Test::Unit::TestCase | ||
| 9 | assert_match 'image/', item | 9 | assert_match 'image/', item |
| 10 | end | 10 | end |
| 11 | end | 11 | end |
| 12 | + | ||
| 13 | + should 'not allow script files to be uploaded without append .txt in the end' do | ||
| 14 | + file = Thumbnail.create!(:uploaded_data => fixture_file_upload('files/hello_world.php', 'image/png')) | ||
| 15 | + assert_equal 'hello_world.php.txt', file.filename | ||
| 16 | + end | ||
| 12 | 17 | ||
| 13 | end | 18 | end |
test/unit/uploaded_file_test.rb
| @@ -325,4 +325,9 @@ class UploadedFileTest < Test::Unit::TestCase | @@ -325,4 +325,9 @@ class UploadedFileTest < Test::Unit::TestCase | ||
| 325 | uses_sqlite | 325 | uses_sqlite |
| 326 | end | 326 | end |
| 327 | 327 | ||
| 328 | + should 'not allow script files to be uploaded without append .txt in the end' do | ||
| 329 | + file = UploadedFile.create!(:uploaded_data => fixture_file_upload('files/hello_world.php', 'application/x-php'), :profile => @profile) | ||
| 330 | + assert_equal 'hello_world.php.txt', file.filename | ||
| 331 | + end | ||
| 332 | + | ||
| 328 | end | 333 | end |