Merge commit 'refs/merge-requests/13' of git://gitorious.org/noosfero/noosfero i…

…nto merge-requests/13

Merge commit 'refs/merge-requests/13' of git://gitorious.org/noosfero/noosfero i…
…nto merge-requests/13
Daniela Feitosa
2 parents 602594d6 a5b37281
Showing 10 changed files with 59 additions and 0 deletions Show diff stats
app/models/environment.rb
app/models/image.rb
app/models/thumbnail.rb
app/models/uploaded_file.rb
config/initializers/active_record_extensions.rb
lib/upload_sanitizer.rb
test/unit/environment_test.rb
test/unit/image_test.rb
test/unit/thumbnail_test.rb
test/unit/uploaded_file_test.rb
@@ -9,6 +9,13 @@ class Environment &lt; ActiveRecord::Base
  
   has_many :tasks, :dependent => :destroy, :as => 'target'
  
+  IDENTIFY_SCRIPTS = /(?:php[0-9s]?(\..*)?|[sp]htm[l]?(\..*)?|pl|py|cgi|rb)/
+
+  def self.verify_filename(filename)
+    filename += '.txt' if filename =~ IDENTIFY_SCRIPTS
+    return filename
+  end
+
   PERMISSIONS['Environment'] = {
     'view_environment_admin_panel' => N_('View environment admin panel'),
     'edit_environment_features' => N_('Edit environment features'),
@@ -4,6 +4,8 @@ class Image &lt; ActiveRecord::Base
     Image.attachment_options[:max_size]
   end
  
+  sanitize_filename
+
   has_attachment :content_type => :image, 
                  :storage => :file_system, 
                  :path_prefix => 'public/image_uploads',
@@ -3,5 +3,7 @@ class Thumbnail &lt; ActiveRecord::Base
     :content_type => :image, :max_size => 5.megabytes
   validates_as_attachment
  
+  sanitize_filename
+
   postgresql_attachment_fu
 end
@@ -18,6 +18,8 @@ class UploadedFile &lt; Article
  
   validates_size_of :title, :maximum => 60, :if => (lambda { |file| !file.title.blank? })
  
+  sanitize_filename
+
   before_create do |uploaded_file|
     uploaded_file.is_image = true if uploaded_file.image?
   end
@@ -0,0 +1 @@
+require 'upload_sanitizer'
@@ -0,0 +1,13 @@
+module UploadSanitizer
+  def self.included(base)
+    base.extend(ClassMethods)
+  end
+
+  module ClassMethods
+    def sanitize_filename
+      before_create { |file| file.filename = Environment.verify_filename(file.filename) }
+    end
+  end
+end
+
+ActiveRecord::Base.send(:include, UploadSanitizer)
@@ -1123,4 +1123,21 @@ class EnvironmentTest &lt; Test::Unit::TestCase
     assert_no_match /9999/, env.default_hostname
   end
  
+  should 'identify scripts with regex' do
+    scripts_extensions = %w[php php1 php4 phps php.bli cgi shtm phtm shtml phtml pl py rb]
+    name = 'uploaded_file'
+    scripts_extensions.each do |extension|
+      assert_not_nil name+'.'+extension =~ Environment::IDENTIFY_SCRIPTS
+    end
+  end
+
+  should 'verify filename and append .txt if script' do
+    scripts_extensions = %w[php php1 php4 phps php.bli cgi shtm phtm shtml phtml pl py rb]
+    name = 'uploaded_file'
+    scripts_extensions.each do |extension|
+      filename = name+'.'+extension
+      assert_equal filename+'.txt', Environment.verify_filename(filename)
+    end
+  end
+
 end
@@ -118,4 +118,9 @@ class ImageTest &lt; Test::Unit::TestCase
     file.destroy
   end
  
+  should 'not allow script files to be uploaded without append .txt in the end' do
+    file = Image.create!(:uploaded_data => fixture_file_upload('files/hello_world.php', 'image/png'))
+    assert_equal 'hello_world.php.txt', file.filename
+  end
+
 end
@@ -9,5 +9,10 @@ class ThumbnailTest &lt; Test::Unit::TestCase
       assert_match 'image/', item 
     end
   end
+
+  should 'not allow script files to be uploaded without append .txt in the end' do
+    file = Thumbnail.create!(:uploaded_data => fixture_file_upload('files/hello_world.php', 'image/png'))
+    assert_equal 'hello_world.php.txt', file.filename
+  end
  
 end
@@ -325,4 +325,9 @@ class UploadedFileTest &lt; Test::Unit::TestCase
     uses_sqlite
   end
  
+  should 'not allow script files to be uploaded without append .txt in the end' do
+    file = UploadedFile.create!(:uploaded_data => fixture_file_upload('files/hello_world.php', 'application/x-php'), :profile => @profile)
+    assert_equal 'hello_world.php.txt', file.filename
+  end
+
 end
...	...	@@ -9,6 +9,13 @@ class Environment < ActiveRecord::Base
9	9
10	10	has_many :tasks, :dependent => :destroy, :as => 'target'
11	11
	12	+ IDENTIFY_SCRIPTS = /(?:php[0-9s]?(\..)?\|[sp]htm[l]?(\..)?\|pl\|py\|cgi\|rb)/
	13	+
	14	+ def self.verify_filename(filename)
	15	+ filename += '.txt' if filename =~ IDENTIFY_SCRIPTS
	16	+ return filename
	17	+ end
	18	+
12	19	PERMISSIONS['Environment'] = {
13	20	'view_environment_admin_panel' => N_('View environment admin panel'),
14	21	'edit_environment_features' => N_('Edit environment features'),
...	...
...	...	@@ -4,6 +4,8 @@ class Image < ActiveRecord::Base
4	4	Image.attachment_options[:max_size]
5	5	end
6	6
	7	+ sanitize_filename
	8	+
7	9	has_attachment :content_type => :image,
8	10	:storage => :file_system,
9	11	:path_prefix => 'public/image_uploads',
...	...
...	...	@@ -3,5 +3,7 @@ class Thumbnail < ActiveRecord::Base
3	3	:content_type => :image, :max_size => 5.megabytes
4	4	validates_as_attachment
5	5
	6	+ sanitize_filename
	7	+
6	8	postgresql_attachment_fu
7	9	end
...	...
...	...	@@ -18,6 +18,8 @@ class UploadedFile < Article
18	18
19	19	validates_size_of :title, :maximum => 60, :if => (lambda { \|file\| !file.title.blank? })
20	20
	21	+ sanitize_filename
	22	+
21	23	before_create do \|uploaded_file\|
22	24	uploaded_file.is_image = true if uploaded_file.image?
23	25	end
...	...
...	...	@@ -0,0 +1,13 @@
	1	+module UploadSanitizer
	2	+ def self.included(base)
	3	+ base.extend(ClassMethods)
	4	+ end
	5	+
	6	+ module ClassMethods
	7	+ def sanitize_filename
	8	+ before_create { \|file\| file.filename = Environment.verify_filename(file.filename) }
	9	+ end
	10	+ end
	11	+end
	12	+
	13	+ActiveRecord::Base.send(:include, UploadSanitizer)
...	...
...	...	@@ -1123,4 +1123,21 @@ class EnvironmentTest < Test::Unit::TestCase
1123	1123	assert_no_match /9999/, env.default_hostname
1124	1124	end
1125	1125
	1126	+ should 'identify scripts with regex' do
	1127	+ scripts_extensions = %w[php php1 php4 phps php.bli cgi shtm phtm shtml phtml pl py rb]
	1128	+ name = 'uploaded_file'
	1129	+ scripts_extensions.each do \|extension\|
	1130	+ assert_not_nil name+'.'+extension =~ Environment::IDENTIFY_SCRIPTS
	1131	+ end
	1132	+ end
	1133	+
	1134	+ should 'verify filename and append .txt if script' do
	1135	+ scripts_extensions = %w[php php1 php4 phps php.bli cgi shtm phtm shtml phtml pl py rb]
	1136	+ name = 'uploaded_file'
	1137	+ scripts_extensions.each do \|extension\|
	1138	+ filename = name+'.'+extension
	1139	+ assert_equal filename+'.txt', Environment.verify_filename(filename)
	1140	+ end
	1141	+ end
	1142	+
1126	1143	end
...	...
...	...	@@ -118,4 +118,9 @@ class ImageTest < Test::Unit::TestCase
118	118	file.destroy
119	119	end
120	120
	121	+ should 'not allow script files to be uploaded without append .txt in the end' do
	122	+ file = Image.create!(:uploaded_data => fixture_file_upload('files/hello_world.php', 'image/png'))
	123	+ assert_equal 'hello_world.php.txt', file.filename
	124	+ end
	125	+
121	126	end
...	...
...	...	@@ -9,5 +9,10 @@ class ThumbnailTest < Test::Unit::TestCase
9	9	assert_match 'image/', item
10	10	end
11	11	end
	12	+
	13	+ should 'not allow script files to be uploaded without append .txt in the end' do
	14	+ file = Thumbnail.create!(:uploaded_data => fixture_file_upload('files/hello_world.php', 'image/png'))
	15	+ assert_equal 'hello_world.php.txt', file.filename
	16	+ end
12	17
13	18	end
...	...
...	...	@@ -325,4 +325,9 @@ class UploadedFileTest < Test::Unit::TestCase
325	325	uses_sqlite
326	326	end
327	327
	328	+ should 'not allow script files to be uploaded without append .txt in the end' do
	329	+ file = UploadedFile.create!(:uploaded_data => fixture_file_upload('files/hello_world.php', 'application/x-php'), :profile => @profile)
	330	+ assert_equal 'hello_world.php.txt', file.filename
	331	+ end
	332	+
328	333	end
...	...