Don't trust the browser-provided mimetype if it looks bogus.
Review Request #6118 — Created July 19, 2014 and submitted
A user was reporting that their PDF file uploads were being assigned the
mimetype of "text/text/application/pdf", which is completely bogus. If
splitting on '/' produces anything other than a list of two strings, don't
allow it to proceed.
Ran unit tests.
-
-
reviewboard/attachments/forms.py (Diff revision 1) Shouldn't this be
blah.split('/') != 2
, instead of usingnot .. ==
?
Commit: |
|
||||
---|---|---|---|---|---|
Diff: |
Revision 2 (+1) |
-
Tool: PEP8 Style Checker Processed Files: reviewboard/attachments/forms.py Tool: Pyflakes Processed Files: reviewboard/attachments/forms.py
-
-
reviewboard/attachments/forms.py (Diff revision 2) Can we add a comment above this conditional talking about this, and referencing the bug? It's obscure enough that I think it's worth calling out.
(I'm still a bit skeptical that browsers would be sending such a broken mimetype, but it doesn't hurt to have this I suppose.)
Commit: |
|
||||
---|---|---|---|---|---|
Diff: |
Revision 3 (+12 -6) |