afan
/
gitea
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
gitea源码
3 Commits
2 Branches
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
gitea/services/context/upload/upload.go

upload.go 4.3KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package upload

  5. 

  6. import (

  7. 	"mime"

  8. 	"net/http"

  9. 	"net/url"

  10. 	"path"

  11. 	"regexp"

  12. 	"strings"

  13. 

  14. 	repo_model "code.gitea.io/gitea/models/repo"

  15. 	"code.gitea.io/gitea/modules/log"

  16. 	"code.gitea.io/gitea/modules/reqctx"

  17. 	"code.gitea.io/gitea/modules/setting"

  18. 	"code.gitea.io/gitea/services/context"

  19. )

  20. 

  21. // ErrFileTypeForbidden not allowed file type error

  22. type ErrFileTypeForbidden struct {

  23. 	Type string

  24. }

  25. 

  26. // IsErrFileTypeForbidden checks if an error is a ErrFileTypeForbidden.

  27. func IsErrFileTypeForbidden(err error) bool {

  28. 	_, ok := err.(ErrFileTypeForbidden)

  29. 	return ok

  30. }

  31. 

  32. func (err ErrFileTypeForbidden) Error() string {

  33. 	return "This file cannot be uploaded or modified due to a forbidden file extension or type."

  34. }

  35. 

  36. var wildcardTypeRe = regexp.MustCompile(`^[a-z]+/\*$`)

  37. 

  38. // Verify validates whether a file is allowed to be uploaded. If buf is empty, it will just check if the file

  39. // has an allowed file extension.

  40. func Verify(buf []byte, fileName, allowedTypesStr string) error {

  41. 	allowedTypesStr = strings.ReplaceAll(allowedTypesStr, "|", ",") // compat for old config format

  42. 

  43. 	allowedTypes := []string{}

  44. 	for entry := range strings.SplitSeq(allowedTypesStr, ",") {

  45. 		entry = strings.ToLower(strings.TrimSpace(entry))

  46. 		if entry != "" {

  47. 			allowedTypes = append(allowedTypes, entry)

  48. 		}

  49. 	}

  50. 

  51. 	if len(allowedTypes) == 0 {

  52. 		return nil // everything is allowed

  53. 	}

  54. 

  55. 	fullMimeType := http.DetectContentType(buf)

  56. 	mimeType, _, err := mime.ParseMediaType(fullMimeType)

  57. 	if err != nil {

  58. 		log.Warn("Detected attachment type could not be parsed %s", fullMimeType)

  59. 		return ErrFileTypeForbidden{Type: fullMimeType}

  60. 	}

  61. 	extension := strings.ToLower(path.Ext(fileName))

  62. 	isBufEmpty := len(buf) <= 1

  63. 

  64. 	// https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/file#Unique_file_type_specifiers

  65. 	for _, allowEntry := range allowedTypes {

  66. 		if allowEntry == "*/*" {

  67. 			return nil // everything allowed

  68. 		}

  69. 		if strings.HasPrefix(allowEntry, ".") && allowEntry == extension {

  70. 			return nil // extension is allowed

  71. 		}

  72. 		if isBufEmpty {

  73. 			continue // skip mime type checks if buffer is empty

  74. 		}

  75. 		if mimeType == allowEntry {

  76. 			return nil // mime type is allowed

  77. 		}

  78. 		if wildcardTypeRe.MatchString(allowEntry) && strings.HasPrefix(mimeType, allowEntry[:len(allowEntry)-1]) {

  79. 			return nil // wildcard match, e.g. image/*

  80. 		}

  81. 	}

  82. 

  83. 	if !isBufEmpty {

  84. 		log.Info("Attachment with type %s blocked from upload", fullMimeType)

  85. 	}

  86. 

  87. 	return ErrFileTypeForbidden{Type: fullMimeType}

  88. }

  89. 

  90. // AddUploadContext renders template values for dropzone

  91. func AddUploadContext(ctx *context.Context, uploadType string) {

  92. 	switch uploadType {

  93. 	case "release":

  94. 		ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/releases/attachments"

  95. 		ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/releases/attachments/remove"

  96. 		ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/releases/attachments"

  97. 		ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Repository.Release.AllowedTypes, "|", ",")

  98. 		ctx.Data["UploadMaxFiles"] = setting.Attachment.MaxFiles

  99. 		ctx.Data["UploadMaxSize"] = setting.Attachment.MaxSize

  100. 	case "comment":

  101. 		ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/issues/attachments"

  102. 		ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/issues/attachments/remove"

  103. 		if len(ctx.PathParam("index")) > 0 {

  104. 			ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/issues/" + url.PathEscape(ctx.PathParam("index")) + "/attachments"

  105. 		} else {

  106. 			ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/issues/attachments"

  107. 		}

  108. 		ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Attachment.AllowedTypes, "|", ",")

  109. 		ctx.Data["UploadMaxFiles"] = setting.Attachment.MaxFiles

  110. 		ctx.Data["UploadMaxSize"] = setting.Attachment.MaxSize

  111. 	default:

  112. 		setting.PanicInDevOrTesting("Invalid upload type: %s", uploadType)

  113. 	}

  114. }

  115. 

  116. func AddUploadContextForRepo(ctx reqctx.RequestContext, repo *repo_model.Repository) {

  117. 	ctxData, repoLink := ctx.GetData(), repo.Link()

  118. 	ctxData["UploadUrl"] = repoLink + "/upload-file"

  119. 	ctxData["UploadRemoveUrl"] = repoLink + "/upload-remove"

  120. 	ctxData["UploadLinkUrl"] = repoLink + "/upload-file"

  121. 	ctxData["UploadAccepts"] = strings.ReplaceAll(setting.Repository.Upload.AllowedTypes, "|", ",")

  122. 	ctxData["UploadMaxFiles"] = setting.Repository.Upload.MaxFiles

  123. 	ctxData["UploadMaxSize"] = setting.Repository.Upload.FileMaxSize

  124. }