Add file upload management #30

merged 1 commit into from Sep 1, 2012
@@ -87,12 +87,12 @@ class ContactForm(self.contact_form, HoneyPotContactForm):
FormClass = ContactForm
if request.method == "POST":
- return FormClass(request, data=request.POST)
+ return FormClass(request, data=request.POST, files=request.FILES)
return FormClass(request)
- def send(self, form, site_email):
+ def send(self, form, site_email, attachments=None):
subject = form.cleaned_data['subject']
if not subject:
subject = _('No subject')
@@ -108,6 +108,9 @@ def send(self, form, site_email):
headers = {
'Reply-To': form.cleaned_data['email']
+ if attachments:
+ for var_name, data in attachments.iteritems():
+ email_message.attach(,, data.content_type)
def render(self, context, instance, placeholder):
@@ -116,7 +119,7 @@ def render(self, context, instance, placeholder):
form = self.create_form(instance, request)
if request.method == "POST" and form.is_valid():
- self.send(form, instance.site_email)
+ self.send(form, instance.site_email, attachments=request.FILES)
mitar Oct 14, 2012 Collaborator

This is not good. You are passing files even if form had no fields for them! So somebody can add attachments even when form has no support for them. This could lead to some security issues (there are also no checks on attachment size).

form instance should be enough for attachments. If files were attached, they can be found in corresponding FileField.

maccesch Oct 14, 2012 Owner

You're right as you said in #32. I haven't gotten around to fix this yet. But if you want you can do it too.

mitar Oct 14, 2012 Collaborator

Oh, forgot about that. I was just going through some old e-mails. :-)

context.update( {
'contact': instance,