From 7a95ba7647b1bd169a68787f88adc9eeef244883 Mon Sep 17 00:00:00 2001 From: Jon Bergli Heier Date: Sun, 28 Mar 2021 16:38:05 +0200 Subject: Add mimetype blacklisting Add two new configuration options: MIMETYPE_BLACKLIST and MIMETYPE_USER_WHITELIST. Any mimetype in MIMETYPE_BLACKLIST will be sent as either text/plain or application/octet-stream depending on the actual mimetype returned. If the uploader's username is specified in MIMETYPE_USER_WHITELIST, the blacklist is ignored. --- fbin/fbin.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'fbin') diff --git a/fbin/fbin.py b/fbin/fbin.py index c449a55..a195594 100755 --- a/fbin/fbin.py +++ b/fbin/fbin.py @@ -176,7 +176,15 @@ def _file(hash, ext=None, filename=None): return path if not path or not os.path.exists(path): abort(404) - return send_file(path, attachment_filename=f.filename) + mimetype = f.get_mime_type() + # Serve blacklisted mimetypes as either text/plain or application/octet-stream + if mimetype in current_app.config['MIMETYPE_BLACKLIST'] and (f.user is None + or f.user.username not in current_app.config['MIMETYPE_USER_WHITELIST']): + if mimetype.startswith('text/'): + mimetype = 'text/plain' + else: + mimetype = 'application/octet-stream' + return send_file(path, mimetype=mimetype, attachment_filename=f.filename) @app.route('/l') @app.route('/login') -- cgit v1.2.3