From fe2383516deebe587669cdce629339828ce197d3 Mon Sep 17 00:00:00 2001 From: idalin Date: Wed, 15 Feb 2017 14:11:35 +0800 Subject: [PATCH] limit the extensions of uploading files --- cps/web.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/cps/web.py b/cps/web.py index da601c10..f73e974f 100755 --- a/cps/web.py +++ b/cps/web.py @@ -52,6 +52,7 @@ from cgi import escape # Global variables global_task = None +ALLOWED_EXTENSIONS = set(['txt', 'pdf', 'epub', 'mobi', 'azw', 'azw3', 'cbr', 'cbz', 'cbt', 'djvu', 'prc', 'doc', 'docx']) # Proxy Helper class @@ -2115,6 +2116,13 @@ def upload(): db.session.connection().connection.connection.create_function('uuid4', 0, lambda: str(uuid4())) if request.method == 'POST' and 'btn-upload' in request.files: file = request.files['btn-upload'] + if not ('.' in file.filename and file.filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS): + flash( + _('File extension "%s" is not allowed to be uploaded to this server' % + file.filename.rsplit('.', 1)[1].lower()), + category="error" + ) + return redirect(url_for('index')) meta = uploader.upload(file) title = meta.title