search

jrief / django-formset

The missing widgets and form manipulation library for Django
https://django-formset.fly.dev/
MIT License
317 stars 30 forks source link

File upload using attribute `accept = image/jpeg` #109

Open jrief opened 7 months ago

jrief commented 7 months ago

If the file upload uses attribute {'accept': 'image/jpeg'} it still is possible to upload files using drag & drop. There should be a better validation.

codematsing commented 1 month ago

Just sharing my bandaid solution here:

This still continues to upload the file in upload temp. But it successfully prompts users that Upload Fail and it fails to update the Download Button href. Thus, for security checks of the system it will avoid other people from "officially" uploading unwanted filetypes as well download them

class FormViewMixin
    def _receive_uploaded_file(self, file_obj, image_height=None):
        response = super()._receive_uploaded_file(file_obj, image_height)
        _data = json.loads(response.content)
        allowed_content_types = ["application/pdf", "image/png", "image/jpeg"]
        if _data['content_type'] in allowed_content_types:
            return response