Software / code / prosody
Diff
plugins/mod_http_file_share.lua @ 11315:c52fcea39c8e
mod_http_file_share: Add file type filter
Unlike mod_http_upload, this can't be bypassed by uploading with a
different file extension.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 26 Jan 2021 14:53:43 +0100 |
| parent | 11314:7c8b02c5a335 |
| child | 11316:ae0461b37fbe |
line wrap: on
line diff
--- a/plugins/mod_http_file_share.lua Tue Jan 26 14:53:24 2021 +0100 +++ b/plugins/mod_http_file_share.lua Tue Jan 26 14:53:43 2021 +0100 @@ -29,6 +29,7 @@ local secret = module:get_option_string(module.name.."_secret", require"util.id".long()); local external_base_url = module:get_option_string(module.name .. "_base_url"); local file_size_limit = module:get_option_number(module.name .. "_size_limit", 10 * 1024 * 1024); -- 10 MB +local file_types = module:get_option_set(module.name .. "_allowed_file_types", {}); local access = module:get_option_set(module.name .. "_access", {}); @@ -44,6 +45,7 @@ local upload_errors = errors.init(module.name, namespace, { access = { "auth"; "forbidden" }; filename = { "modify"; "bad-request", "Invalid filename" }; + filetype = { "modify"; "not-acceptable", "File type not allowed" }; filesize = { "modify"; "not-acceptable"; "File too large"; st.stanza("file-too-large", {xmlns = namespace}):tag("max-size"):text(tostring(file_size_limit)); }; }); @@ -63,6 +65,10 @@ return false, upload_errors.new("filesize"); end + if not ( file_types:empty() or file_types:contains(filetype) or file_types:contains(filetype:gsub("/.*", "/*")) ) then + return false, upload_errors.new("filetype"); + end + return true; end
