mirror of
https://gitcode.com/gitea/gitea.git
synced 2025-06-30 17:30:34 +08:00
.gitea
.github
assets
build
cmd
contrib
custom
docker
docs
models
modules
actions
activitypub
analyze
auth
avatar
base
cache
charset
container
context
csv
doctor
emoji
eventsource
generate
git
gitgraph
graceful
hcaptcha
highlight
hostmatcher
html
httpcache
httplib
indexer
issue
json
label
lfs
log
markup
mcaptcha
metrics
migration
mirror
nosql
notification
options
packages
paginator
pprof
private
process
proxy
proxyprotocol
public
queue
recaptcha
references
regexplru
repository
secret
session
setting
sitemap
ssh
storage
structs
svg
sync
system
templates
test
timeutil
translation
turnstile
typesniffer
updatechecker
upload
upload.go
upload_test.go
uri
user
util
validation
watcher
web
webhook
options
public
routers
services
snap
templates
tests
web_src
.air.toml
.changelog.yml
.dockerignore
.drone.yml
.editorconfig
.eslintrc.yaml
.gitattributes
.gitignore
.gitpod.yml
.golangci.yml
.ignore
.lgtm
.markdownlint.yaml
.npmrc
.spectral.yaml
.stylelintrc.yaml
BSDmakefile
CHANGELOG.md
CODE_OF_CONDUCT.md
CONTRIBUTING.md
DCO
Dockerfile
Dockerfile.rootless
LICENSE
MAINTAINERS
Makefile
README.md
README_ZH.md
SECURITY.md
build.go
go.mod
go.sum
main.go
package-lock.json
package.json
playwright.config.js
vitest.config.js
webpack.config.js
e81ccc406b
Change all license headers to comply with REUSE specification. Fix #16132 Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github> Co-authored-by: John Olheiser <john.olheiser@gmail.com>
106 lines
3.8 KiB
Go
106 lines
3.8 KiB
Go
// Copyright 2019 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package upload
|
|
|
|
import (
|
|
"mime"
|
|
"net/http"
|
|
"net/url"
|
|
"path"
|
|
"regexp"
|
|
"strings"
|
|
|
|
"code.gitea.io/gitea/modules/context"
|
|
"code.gitea.io/gitea/modules/log"
|
|
"code.gitea.io/gitea/modules/setting"
|
|
)
|
|
|
|
// ErrFileTypeForbidden not allowed file type error
|
|
type ErrFileTypeForbidden struct {
|
|
Type string
|
|
}
|
|
|
|
// IsErrFileTypeForbidden checks if an error is a ErrFileTypeForbidden.
|
|
func IsErrFileTypeForbidden(err error) bool {
|
|
_, ok := err.(ErrFileTypeForbidden)
|
|
return ok
|
|
}
|
|
|
|
func (err ErrFileTypeForbidden) Error() string {
|
|
return "This file extension or type is not allowed to be uploaded."
|
|
}
|
|
|
|
var wildcardTypeRe = regexp.MustCompile(`^[a-z]+/\*$`)
|
|
|
|
// Verify validates whether a file is allowed to be uploaded.
|
|
func Verify(buf []byte, fileName, allowedTypesStr string) error {
|
|
allowedTypesStr = strings.ReplaceAll(allowedTypesStr, "|", ",") // compat for old config format
|
|
|
|
allowedTypes := []string{}
|
|
for _, entry := range strings.Split(allowedTypesStr, ",") {
|
|
entry = strings.ToLower(strings.TrimSpace(entry))
|
|
if entry != "" {
|
|
allowedTypes = append(allowedTypes, entry)
|
|
}
|
|
}
|
|
|
|
if len(allowedTypes) == 0 {
|
|
return nil // everything is allowed
|
|
}
|
|
|
|
fullMimeType := http.DetectContentType(buf)
|
|
mimeType, _, err := mime.ParseMediaType(fullMimeType)
|
|
if err != nil {
|
|
log.Warn("Detected attachment type could not be parsed %s", fullMimeType)
|
|
return ErrFileTypeForbidden{Type: fullMimeType}
|
|
}
|
|
extension := strings.ToLower(path.Ext(fileName))
|
|
|
|
// https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/file#Unique_file_type_specifiers
|
|
for _, allowEntry := range allowedTypes {
|
|
if allowEntry == "*/*" {
|
|
return nil // everything allowed
|
|
} else if strings.HasPrefix(allowEntry, ".") && allowEntry == extension {
|
|
return nil // extension is allowed
|
|
} else if mimeType == allowEntry {
|
|
return nil // mime type is allowed
|
|
} else if wildcardTypeRe.MatchString(allowEntry) && strings.HasPrefix(mimeType, allowEntry[:len(allowEntry)-1]) {
|
|
return nil // wildcard match, e.g. image/*
|
|
}
|
|
}
|
|
|
|
log.Info("Attachment with type %s blocked from upload", fullMimeType)
|
|
return ErrFileTypeForbidden{Type: fullMimeType}
|
|
}
|
|
|
|
// AddUploadContext renders template values for dropzone
|
|
func AddUploadContext(ctx *context.Context, uploadType string) {
|
|
if uploadType == "release" {
|
|
ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/releases/attachments"
|
|
ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/releases/attachments/remove"
|
|
ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/releases/attachments"
|
|
ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Repository.Release.AllowedTypes, "|", ",")
|
|
ctx.Data["UploadMaxFiles"] = setting.Attachment.MaxFiles
|
|
ctx.Data["UploadMaxSize"] = setting.Attachment.MaxSize
|
|
} else if uploadType == "comment" {
|
|
ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/issues/attachments"
|
|
ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/issues/attachments/remove"
|
|
if len(ctx.Params(":index")) > 0 {
|
|
ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/issues/" + url.PathEscape(ctx.Params(":index")) + "/attachments"
|
|
} else {
|
|
ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/issues/attachments"
|
|
}
|
|
ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Attachment.AllowedTypes, "|", ",")
|
|
ctx.Data["UploadMaxFiles"] = setting.Attachment.MaxFiles
|
|
ctx.Data["UploadMaxSize"] = setting.Attachment.MaxSize
|
|
} else if uploadType == "repo" {
|
|
ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/upload-file"
|
|
ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/upload-remove"
|
|
ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/upload-file"
|
|
ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Repository.Upload.AllowedTypes, "|", ",")
|
|
ctx.Data["UploadMaxFiles"] = setting.Repository.Upload.MaxFiles
|
|
ctx.Data["UploadMaxSize"] = setting.Repository.Upload.FileMaxSize
|
|
}
|
|
}
|