diff options
author | Jon Bergli Heier <snakebite@jvnv.net> | 2021-03-28 16:38:05 +0200 |
---|---|---|
committer | Jon Bergli Heier <snakebite@jvnv.net> | 2021-03-28 16:42:40 +0200 |
commit | 7a95ba7647b1bd169a68787f88adc9eeef244883 (patch) | |
tree | 8b16e4cdc2d0759ac6ed2c395edd46ee9eb94665 /fbin | |
parent | 9abb06be301ccdacc4393873386c34d4f3721f7c (diff) |
Add mimetype blacklisting
Add two new configuration options: MIMETYPE_BLACKLIST and
MIMETYPE_USER_WHITELIST. Any mimetype in MIMETYPE_BLACKLIST will be sent
as either text/plain or application/octet-stream depending on the actual
mimetype returned. If the uploader's username is specified in
MIMETYPE_USER_WHITELIST, the blacklist is ignored.
Diffstat (limited to 'fbin')
-rwxr-xr-x | fbin/fbin.py | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/fbin/fbin.py b/fbin/fbin.py index c449a55..a195594 100755 --- a/fbin/fbin.py +++ b/fbin/fbin.py @@ -176,7 +176,15 @@ def _file(hash, ext=None, filename=None): return path if not path or not os.path.exists(path): abort(404) - return send_file(path, attachment_filename=f.filename) + mimetype = f.get_mime_type() + # Serve blacklisted mimetypes as either text/plain or application/octet-stream + if mimetype in current_app.config['MIMETYPE_BLACKLIST'] and (f.user is None + or f.user.username not in current_app.config['MIMETYPE_USER_WHITELIST']): + if mimetype.startswith('text/'): + mimetype = 'text/plain' + else: + mimetype = 'application/octet-stream' + return send_file(path, mimetype=mimetype, attachment_filename=f.filename) @app.route('/l') @app.route('/login') |