From a21bb36f7c481c996fbe12612cf4c870859d2238 Mon Sep 17 00:00:00 2001 From: Andrew Date: Tue, 27 Sep 2022 23:07:44 -0400 Subject: [PATCH] Make it so a user cannot upload anything but zip TODO add better feedback than "error" --- app/classes/shared/tasks.py | 4 ++-- app/classes/web/upload_handler.py | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/app/classes/shared/tasks.py b/app/classes/shared/tasks.py index 6ce0f49a..06c76f0b 100644 --- a/app/classes/shared/tasks.py +++ b/app/classes/shared/tasks.py @@ -673,9 +673,9 @@ class TasksManager: user.id, {"pfp": self.helper.get_gravatar_image(user.email)} ) # Search for old files in imports - for file in os.listdir(os.path.join(self.controller.project_root), "imports"): + for file in os.listdir(os.path.join(self.controller.project_root, "imports")): if self.helper.is_file_older_than_x_days( - os.path.join(self.controller.project_root), "imports", file + os.path.join(self.controller.project_root, "imports", file) ): try: os.remove(os.path.join(file)) diff --git a/app/classes/web/upload_handler.py b/app/classes/web/upload_handler.py index e4ba8222..077128e4 100644 --- a/app/classes/web/upload_handler.py +++ b/app/classes/web/upload_handler.py @@ -109,6 +109,9 @@ class UploadHandler(BaseHandler): self.helper.ensure_dir_exists(path) filename = self.request.headers.get("X-FileName", None) + if not str(filename).endswith(".zip"): + self.helper.websocket_helper.broadcast("close_upload_box", "error") + self.finish("error") full_path = os.path.join(path, filename) if self.do_upload: