✨(backend) allow uploading more types of attachments

We want to allow users to upload files to a document, not just images. We try to enforce coherence between the file extension and the real mime type of its content. If a file is deemed unsafe, it is still accepted during upload and the information is stored as metadata on the object for display to readers.
2024-10-07 20:10:42 +02:00
parent a9f08df566
commit e8d95facdf
7 changed files with 229 additions and 50 deletions
--- a/src/backend/impress/settings.py
+++ b/src/backend/impress/settings.py
@@ -144,14 +144,75 @@ class Base(Configuration):
        environ_name="DOCUMENT_IMAGE_MAX_SIZE",
        environ_prefix=None,
    )
-    DOCUMENT_IMAGE_ALLOWED_MIME_TYPES = [
-        "image/bmp",
-        "image/gif",
-        "image/jpeg",
-        "image/png",
+
+    DOCUMENT_UNSAFE_MIME_TYPES = [
+        # Executable Files
+        "application/x-msdownload",
+        "application/x-bat",
+        "application/x-dosexec",
+        "application/x-sh",
+        "application/x-ms-dos-executable",
+        "application/x-msi",
+        "application/java-archive",
+        "application/octet-stream",
+        # Dynamic Web Pages
+        "application/x-httpd-php",
+        "application/x-asp",
+        "application/x-aspx",
+        "application/jsp",
+        "application/xhtml+xml",
+        "application/x-python-code",
+        "application/x-perl",
+        "text/html",
+        "text/javascript",
+        "text/x-php",
+        # System Files
+        "application/x-msdownload",
+        "application/x-sys",
+        "application/x-drv",
+        "application/cpl",
+        "application/x-apple-diskimage",
+        # Script Files
+        "application/javascript",
+        "application/x-vbscript",
+        "application/x-powershell",
+        "application/x-shellscript",
+        # Compressed/Archive Files
+        "application/zip",
+        "application/x-tar",
+        "application/gzip",
+        "application/x-bzip2",
+        "application/x-7z-compressed",
+        "application/x-rar",
+        "application/x-rar-compressed",
+        "application/x-compress",
+        "application/x-lzma",
+        # Macros in Documents
+        "application/vnd.ms-word",
+        "application/vnd.ms-excel",
+        "application/vnd.ms-powerpoint",
+        "application/vnd.ms-word.document.macroenabled.12",
+        "application/vnd.ms-excel.sheet.macroenabled.12",
+        "application/vnd.ms-powerpoint.presentation.macroenabled.12",
+        # Disk Images & Virtual Disk Files
+        "application/x-iso9660-image",
+        "application/x-vmdk",
+        "application/x-apple-diskimage",
+        "application/x-dmg",
+        # Other Dangerous MIME Types
+        "application/x-ms-application",
+        "application/x-msdownload",
+        "application/x-shockwave-flash",
+        "application/x-silverlight-app",
+        "application/x-java-vm",
+        "application/x-bittorrent",
+        "application/hta",
+        "application/x-csh",
+        "application/x-ksh",
+        "application/x-ms-regedit",
+        "application/x-msdownload",
+        "application/xml",
        "image/svg+xml",
-        "image/tiff",
-        "image/webp",
    ]

    # Document versions