Home Explore Help
Sign In
221V
/
Misago
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Small improvements in uploads security

Ralfp 12 years ago
parent
c463b7f2d6
commit
7a1cffa5bb
2 changed files with 6 additions and 2 deletions
Split View Show Diff Stats
  1. 4 0
      misago/apps/usercp/avatar/views.py
  2. 2 2
      misago/urls.py

+ 4 - 0
misago/apps/usercp/avatar/views.py
View File 

@@ -1,5 +1,6 @@
 
 from path import path

 from PIL import Image

+from zipfile import is_zipfile

 from django.conf import settings

 from django.core.exceptions import ValidationError

 from django.core.urlresolvers import reverse

@@ -122,6 +123,9 @@ def upload(request):
 
                     destination.write(chunk)

             request.user.save()

             try:

+                if is_zipfile(image_path):

+                    # Composite file upload

+                    raise ValidationError()                    

                 image = Image.open(image_path)

                 if not image.format in ['GIF', 'PNG', 'JPEG']:

                     raise ValidationError()

+ 2 - 2
misago/urls.py
View File 

@@ -50,7 +50,7 @@ handler403 = 'misago.apps.errors.error403'
 
 handler404 = 'misago.apps.errors.error404'

 

 # Make sure people are not keeping uploads and app under same domain

-from django.core.exceptions import ImproperlyConfigured

+import warnings

 from urlparse import urlparse

 if not settings.DEBUG and not urlparse(settings.MEDIA_URL).netloc:

-    raise ImproperlyConfigured('Sharing same domain name between application and user uploaded media is a security risk. Create a subdomain pointing to your media directory (eg. "uploads.myforum.com") and change your MEDIA_URL.')
 
+    warnings.warn('Sharing same domain name between application and user uploaded media is a security risk. Create a subdomain pointing to your media directory (eg. "uploads.myforum.com") and change your MEDIA_URL.', RuntimeWarning)