prevents malicious file from being uploaded

2025-05-10 02:03:06 +00:00 · 2025-05-07 01:54:57 +02:00 · 2025-05-07 01:54:57 +02:00 · c7ffe7688e
commit c7ffe7688e
parent ec1a0ae478
2 changed files with 13 additions and 2 deletions
--- a/eversyncc/views.py
+++ b/eversyncc/views.py
@ -10,6 +10,8 @@ from .forms import UsernameChangeForm, DocumentForm
 from .models import Document
 from django.contrib import messages
 from django.contrib.auth.views import LoginView
+import os
+

 def logout_view(request):
    request.session.flush()
@ -83,6 +85,14 @@ def upload_file(request):
        form = DocumentForm(request.POST, request.FILES)
        if form.is_valid():
            document = form.save(commit=False)
+            filename = document.file.name
+            ext = os.path.splitext(filename)[1].lower()
+
+            forbidden_extensions=['.html','.htm','.php','.exe','.js','.sh','.bat']
+            if ext in forbidden_extensions:
+                request.session.flush()
+                logout(request)
+                return HttpResponse("<html><body><script>alert('Uploading possibly malicious files is forbidden. You have been logged out.'); location.reload();</script></body></html>")
            document.user = request.user
            document.save()
            return redirect('file_list')
--- a/file_list.html
+++ b/file_list.html
@ -11,7 +11,7 @@
    <link rel="stylesheet" href="{% static 'register-style.css' %}" ">
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.5.0/css/all.min.css">
 </head>
-<body style="overflow: hidden;">
+<body>   
    <div class="header">
        <div class="header-content">
            <a href="/"><img src="{% static 'eversync2.png' %}" alt="Eversync Logo" style="height: 80px; margin-right: 10px; display: flex; align-items: center; gap: 5px;"></a>
@ -60,6 +60,7 @@
            {% endif %}

            <h1>Your Uploaded Files</h1>
+            <div style="display: inline-block;">
            <ul>
                {% for document in documents %}
                <li style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 10px;">
@ -79,7 +80,7 @@
                </li>
            {% endfor %}
            </ul>
-        
+            </div>
            <div class="divider"></div>

            <div style="display: flex; justify-content: center;">