search

janeczku / calibre-web

:books: Web app for browsing, reading and downloading eBooks stored in a Calibre database
GNU General Public License v3.0
12.22k stars 1.3k forks source link

Some upload filetypes no longer work in latest (0.6.22) version #3102

Open CarlesLlobet opened 3 weeks ago

CarlesLlobet commented 3 weeks ago

Describe the bug/problem

After updating to the latest version, where Python-magic has been addedd to validate myme-types (PR 3061), some uploads fail.

My assumption is that some magicnumbers might be missing, since it only appears to happen with some specific files. Here's an example where both files are M4B (which is accepted according to EXTENSIONS_UPLOAD constant), but one uploads and the other doesn't: telegram-cloud-photo-size-4-5798546939179025337-y

The first one doesn't work, and I haven't been able to find any reference to that Magic number, although it appears to be some sort of reference to M4A and M4A is also accepted according to EXTENSIONS_UPLOAD constant:

The second one does work and I've found it belongs to MPEG4 Part 14.

To Reproduce

Steps to reproduce the behavior:

  1. Drag & Drop an M4B file with the first magic number, such as the above M4B audiobook (upload expirates in 30days)
  2. See error "File type isn't allowed to be uploaded to this server": image

Logfile

Add content of calibre-web.log file or the relevant error, try to reproduce your problem with "debug" log-level to get more output.

Expected behavior

All valid files should be accepted. Either this (and any other missing) magic number is also allowlisted, or instead we opt for a denylist approach with only malicious files (executables and such) are denied, which would be much more maintainable and aligned with any future improvement (such as the adition of a ClamAV or similar upload scan).

Environment (please complete the following information):

Additional context N/A

OzzieIsaacs commented 3 weeks ago

I‘ll Check, as workaround you can deactivate the upload check in admin -> basic config -> security settings -> …

CarlesLlobet commented 3 weeks ago

as workaround you can deactivate the upload check in admin -> basic config -> security settings -> …

Oh didn't know about that option 😍 That will definitely be useful, thx! 💪

OzzieIsaacs commented 3 weeks ago

I knew this would happen

OzzieIsaacs commented 3 weeks ago

I added the correct file type check, please update to the newest nightly version, the upload should work now

CarlesLlobet commented 3 weeks ago

Wow, quickest fix I've ever seen 👀

I've seen where the error was, nice catch. Confirmed its successfully fixed in nightly, thanks 💪

Congrats on such amazing tool and support. 🙏 🎉

OzzieIsaacs commented 3 weeks ago

I‘d like to leave it open till the next release