Hopiu/wagtail
1
0
Fork 0
mirror of https://github.com/Hopiu/wagtail.git synced 2026-05-05 05:54:44 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fixed #3524 -- Ensured that filenames are checked when downloading documents

Browse source
This commit is contained in:
Morgan Aubert 2017-04-06 13:09:37 -04:00
parent eef46dde92
commit d4f11f13f1
2 changed files with 9 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
wagtail/wagtaildocs/tests.py
View file

@ -1067,7 +1067,7 @@ class TestServeView(TestCase):
self.document.file.save('example.doc', ContentFile("A boring example document"))
def get(self):
return self.client.get(reverse('wagtaildocs_serve', args=(self.document.id, 'example.doc')))
return self.client.get(reverse('wagtaildocs_serve', args=(self.document.id, self.document.filename)))
def test_response_code(self):
self.assertEqual(self.get().status_code, 200)
@ -1104,14 +1104,8 @@ class TestServeView(TestCase):
self.assertEqual(response.status_code, 404)
def test_with_incorrect_filename(self):
"""
Wagtail should be forgiving with filenames at the end of the URL. These
filenames are to make the URL look nice, and to provide a fallback for
browsers that do not handle the 'Content-Disposition' header filename
component. They should not be validated.
"""
response = self.client.get(reverse('wagtaildocs_serve', args=(self.document.id, 'incorrectfilename')))
self.assertEqual(response.status_code, 200)
self.assertEqual(response.status_code, 404)
def clear_sendfile_cache(self):
from wagtail.utils.sendfile import _get_sendfile

8
wagtail/wagtaildocs/views/serve.py
View file

@ -3,7 +3,7 @@ from __future__ import absolute_import, unicode_literals
from wsgiref.util import FileWrapper
from django.conf import settings
from django.http import BadHeaderError, StreamingHttpResponse
from django.http import BadHeaderError, Http404, StreamingHttpResponse
from django.shortcuts import get_object_or_404
from unidecode import unidecode
@ -16,6 +16,12 @@ def serve(request, document_id, document_filename):
Document = get_document_model()
doc = get_object_or_404(Document, id=document_id)
# We want to ensure that the document filename provided in the URL matches the one associated with the considered
# document_id. If not we can't be sure that the document the user wants to access is the one corresponding to the
# <document_id, document_filename> pair.
if doc.filename != document_filename:
raise Http404
# Send document_served signal
document_served.send(sender=Document, instance=doc, request=request)