Merge pull request #2902 from jezdez/bug1095649

fix bug 1095649 - added blacklist override constance value to temporarily allow uploading files that are are matched by an ambiguous mimetype like application/gzip
mdn · Nov 7, 2014 · 1dc8e4b · 1dc8e4b
2 parents 1685d10 + edba14e
commit 1dc8e4b
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 3 deletions.
diff --git a/kuma/demos/models.py b/kuma/demos/models.py
@@ -669,11 +669,15 @@ def validate_demo_zipfile(cls, file):
             # HACK: Sometimes we get "type; charset", even if charset wasn't asked for
             file_mime_type = m_mime.from_buffer(file_data).split(';')[0]
 
-            if file_mime_type in DEMO_MIMETYPE_BLACKLIST:
+            extensions = constance.config.DEMO_BLACKLIST_OVERRIDE_EXTENSIONS.split()
+            override_file_extensions = ['.%s' % extension
+                                       for extension in extensions]
+
+            if (file_mime_type in DEMO_MIMETYPE_BLACKLIST and
+                    not name.endswith(tuple(override_file_extensions))):
                 raise ValidationError(
                     _('ZIP file contains an unacceptable file: %(filename)s') %
-                    {"filename": name}
-                )
+                    {'filename': name})
 
         if not index_found:
             raise ValidationError(_('HTML index not found in ZIP'))

diff --git a/kuma/demos/tests/test_models.py b/kuma/demos/tests/test_models.py
@@ -402,6 +402,30 @@ def test_demo_file_type_blacklist(self):
                                      'ZIP file contains an unacceptable file: badfile',
                                      s.clean)
 
+    @override_constance_settings(DEMO_BLACKLIST_OVERRIDE_EXTENSIONS="yada")
+    def test_demo_blacklist_override(self):
+        """bug 1095649"""
+        sub_fout = StringIO()
+        sub_zf = zipfile.ZipFile(sub_fout, 'w')
+        sub_zf.writestr('hello.txt', 'I am some hidden text')
+        sub_zf.close()
+
+        models.DEMO_MIMETYPE_BLACKLIST = ['application/zip', 'application/x-zip']
+
+        fout = StringIO()
+        zf = zipfile.ZipFile(fout, 'w')
+        zf.writestr('index.html', """<html> </html>""")
+        zf.writestr('yada.yada', sub_fout.getvalue())
+        zf.close()
+
+        self.submission.demo_package.save('play_demo.zip', ContentFile(fout.getvalue()))
+
+        try:
+            self.submission.clean
+        except ValidationError:
+            self.fail("Shouldn't have failed on cleaning "
+                      "a overridded blacklist mimetype")
+
     def test_hidden_demo_next_prev(self):
         """Ensure hidden demos do not display when next() or previous() are called"""
         s = self.submission

diff --git a/settings.py b/settings.py
@@ -920,6 +920,12 @@ def JINJA_CONFIG():
 # Settings and defaults controllable by Constance in admin
 CONSTANCE_CONFIG = dict(
 
+    DEMO_BLACKLIST_OVERRIDE_EXTENSIONS = (
+        'jsgz datagz memgz',
+        'File extensions that override the mimetype blacklist in case of '
+        'an ambigous mimetype such as application/gzip',
+    ),
+
     DEMO_MAX_ZIP_FILESIZE = (
         60 * 1024 * 1024,
         "Max file size for zips uploaded to demo studio."