Add mimetype blacklisting

Add two new configuration options: MIMETYPE_BLACKLIST and MIMETYPE_USER_WHITELIST. Any mimetype in MIMETYPE_BLACKLIST will be sent as either text/plain or application/octet-stream depending on the actual mimetype returned. If the uploader's username is specified in MIMETYPE_USER_WHITELIST, the blacklist is ignored.
author: Jon Bergli Heier <snakebite@jvnv.net> 2021-03-28 16:38:05 +0200
committer: Jon Bergli Heier <snakebite@jvnv.net> 2021-03-28 16:42:40 +0200
commit: 7a95ba7647b1bd169a68787f88adc9eeef244883 (patch)
tree: 8b16e4cdc2d0759ac6ed2c395edd46ee9eb94665
parent: 9abb06be301ccdacc4393873386c34d4f3721f7c (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/fbin/fbin.py b/fbin/fbin.py
index c449a55..a195594 100755
--- a/fbin/fbin.py
+++ b/fbin/fbin.py
@@ -176,7 +176,15 @@ def _file(hash, ext=None, filename=None):
         return path
     if not path or not os.path.exists(path):
         abort(404)
-    return send_file(path, attachment_filename=f.filename)
+    mimetype = f.get_mime_type()
+    # Serve blacklisted mimetypes as either text/plain or application/octet-stream
+    if mimetype in current_app.config['MIMETYPE_BLACKLIST'] and (f.user is None
+            or f.user.username not in current_app.config['MIMETYPE_USER_WHITELIST']):
+        if mimetype.startswith('text/'):
+            mimetype = 'text/plain'
+        else:
+            mimetype = 'application/octet-stream'
+    return send_file(path, mimetype=mimetype, attachment_filename=f.filename)
 
 @app.route('/l')
 @app.route('/login')
author	Jon Bergli Heier <snakebite@jvnv.net>	2021-03-28 16:38:05 +0200
committer	Jon Bergli Heier <snakebite@jvnv.net>	2021-03-28 16:42:40 +0200
commit	7a95ba7647b1bd169a68787f88adc9eeef244883 (patch)
tree	8b16e4cdc2d0759ac6ed2c395edd46ee9eb94665
parent	9abb06be301ccdacc4393873386c34d4f3721f7c (diff)