Check both extension and mimetype while uploading or unzipping file

mahipjain · mahipjain · commit 48d34695282a · 2018-01-27T17:07:09.000+05:30
diff --git a/filemanager/__init__.py b/filemanager/__init__.py
@@ -10,6 +10,7 @@
 import re
 import tarfile
 import zipfile
+import magic
 
 path_end = r'(?P<path>[\w\d_ -/.]*)$'
 
@@ -186,6 +187,16 @@ def handle_form(self, form, files):
                         for chunk in f.chunks():
                             dest.write(chunk)
                     f.close()
+                    mimetype = magic.from_file(filepath, mime=True)
+                    guessed_exts = mimetypes.guess_all_extensions(mimetype)
+                    guessed_exts = [ext[1:] for ext in guessed_exts]
+                    common = [ext for ext in guessed_exts if ext in self.extensions]
+                    if not common:
+                        os.remove(filepath)
+                        messages.append(
+                            "File type not allowed : "
+                            + f.name
+                        )
             if len(messages) == 0:
                 messages.append('All files uploaded successfully')
         elif action == 'add':
@@ -330,12 +341,26 @@ def handle_form(self, form, files):
                     zip_ref = zipfile.ZipFile(filename, 'r')
                     #zip_ref.extractall(self.basepath + self.current_path)
                     directory = self.basepath + self.current_path
-                    [zip_ref.extract(file, directory) for file
-                        in zip_ref.namelist() if file.endswith(tuple(self.extensions))]
+                    for file in zip_ref.namelist():
+                        if file.endswith(tuple(self.extensions)):
+                            zip_ref.extract(file, directory)
+                            mimetype = magic.from_file(directory + file, mime=True)
+                            print directory + file
+                            guessed_exts = mimetypes.guess_all_extensions(mimetype)
+                            guessed_exts = [ext[1:] for ext in guessed_exts]
+                            common = [ext for ext in guessed_exts if ext in self.extensions]
+                            if not common:
+                                os.remove(directory+file)
+                                messages.append(
+                                    "File in the zip is not allowed : "
+                                    + file
+                                )
                     zip_ref.close()
                 except Exception as e:
                     print e
                     messages.append('ERROR : Could not unzip the file.')
+                if len(messages) == 0:
+                    messages.append('Extraction completed successfully.')
 
         return messages
 
