From 7a95ba7647b1bd169a68787f88adc9eeef244883 Mon Sep 17 00:00:00 2001
From: Jon Bergli Heier <snakebite@jvnv.net>
Date: Sun, 28 Mar 2021 16:38:05 +0200
Subject: Add mimetype blacklisting

Add two new configuration options: MIMETYPE_BLACKLIST and
MIMETYPE_USER_WHITELIST. Any mimetype in MIMETYPE_BLACKLIST will be sent
as either text/plain or application/octet-stream depending on the actual
mimetype returned. If the uploader's username is specified in
MIMETYPE_USER_WHITELIST, the blacklist is ignored.
---
 fbin/fbin.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/fbin/fbin.py b/fbin/fbin.py
index c449a55..a195594 100755
--- a/fbin/fbin.py
+++ b/fbin/fbin.py
@@ -176,7 +176,15 @@ def _file(hash, ext=None, filename=None):
         return path
     if not path or not os.path.exists(path):
         abort(404)
-    return send_file(path, attachment_filename=f.filename)
+    mimetype = f.get_mime_type()
+    # Serve blacklisted mimetypes as either text/plain or application/octet-stream
+    if mimetype in current_app.config['MIMETYPE_BLACKLIST'] and (f.user is None
+            or f.user.username not in current_app.config['MIMETYPE_USER_WHITELIST']):
+        if mimetype.startswith('text/'):
+            mimetype = 'text/plain'
+        else:
+            mimetype = 'application/octet-stream'
+    return send_file(path, mimetype=mimetype, attachment_filename=f.filename)
 
 @app.route('/l')
 @app.route('/login')
-- 
cgit v1.2.3