##// END OF EJS Templates
jro_apps » redmine
RSS
Limit the characters stripped by Attachment#sanitize_filename (#4324)....
Jean-Philippe Lang -
r7797:902b3078d549
parent child
Show More
Side by Side Unified
Context file:
r7797:902b3078d549 Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,203 +1,201
1 1 # Redmine - project management software
2 2 # Copyright (C) 2006-2011 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 require "digest/md5"
19 19
20 20 class Attachment < ActiveRecord::Base
21 21 belongs_to :container, :polymorphic => true
22 22 belongs_to :author, :class_name => "User", :foreign_key => "author_id"
23 23
24 24 validates_presence_of :container, :filename, :author
25 25 validates_length_of :filename, :maximum => 255
26 26 validates_length_of :disk_filename, :maximum => 255
27 27 validate :validate_max_file_size
28 28
29 29 acts_as_event :title => :filename,
30 30 :url => Proc.new {|o| {:controller => 'attachments', :action => 'download', :id => o.id, :filename => o.filename}}
31 31
32 32 acts_as_activity_provider :type => 'files',
33 33 :permission => :view_files,
34 34 :author_key => :author_id,
35 35 :find_options => {:select => "#{Attachment.table_name}.*",
36 36 :joins => "LEFT JOIN #{Version.table_name} ON #{Attachment.table_name}.container_type='Version' AND #{Version.table_name}.id = #{Attachment.table_name}.container_id " +
37 37 "LEFT JOIN #{Project.table_name} ON #{Version.table_name}.project_id = #{Project.table_name}.id OR ( #{Attachment.table_name}.container_type='Project' AND #{Attachment.table_name}.container_id = #{Project.table_name}.id )"}
38 38
39 39 acts_as_activity_provider :type => 'documents',
40 40 :permission => :view_documents,
41 41 :author_key => :author_id,
42 42 :find_options => {:select => "#{Attachment.table_name}.*",
43 43 :joins => "LEFT JOIN #{Document.table_name} ON #{Attachment.table_name}.container_type='Document' AND #{Document.table_name}.id = #{Attachment.table_name}.container_id " +
44 44 "LEFT JOIN #{Project.table_name} ON #{Document.table_name}.project_id = #{Project.table_name}.id"}
45 45
46 46 cattr_accessor :storage_path
47 47 @@storage_path = Redmine::Configuration['attachments_storage_path'] || "#{Rails.root}/files"
48 48
49 49 before_save :files_to_final_location
50 50 after_destroy :delete_from_disk
51 51
52 52 def validate_max_file_size
53 53 if self.filesize > Setting.attachment_max_size.to_i.kilobytes
54 54 errors.add(:base, :too_long, :count => Setting.attachment_max_size.to_i.kilobytes)
55 55 end
56 56 end
57 57
58 58 def file=(incoming_file)
59 59 unless incoming_file.nil?
60 60 @temp_file = incoming_file
61 61 if @temp_file.size > 0
62 62 self.filename = sanitize_filename(@temp_file.original_filename)
63 63 self.disk_filename = Attachment.disk_filename(filename)
64 64 self.content_type = @temp_file.content_type.to_s.chomp
65 65 if content_type.blank?
66 66 self.content_type = Redmine::MimeType.of(filename)
67 67 end
68 68 self.filesize = @temp_file.size
69 69 end
70 70 end
71 71 end
72 72
73 73 def file
74 74 nil
75 75 end
76 76
77 77 # Copies the temporary file to its final location
78 78 # and computes its MD5 hash
79 79 def files_to_final_location
80 80 if @temp_file && (@temp_file.size > 0)
81 81 logger.info("Saving attachment '#{self.diskfile}' (#{@temp_file.size} bytes)")
82 82 md5 = Digest::MD5.new
83 83 File.open(diskfile, "wb") do |f|
84 84 buffer = ""
85 85 while (buffer = @temp_file.read(8192))
86 86 f.write(buffer)
87 87 md5.update(buffer)
88 88 end
89 89 end
90 90 self.digest = md5.hexdigest
91 91 end
92 92 @temp_file = nil
93 93 # Don't save the content type if it's longer than the authorized length
94 94 if self.content_type && self.content_type.length > 255
95 95 self.content_type = nil
96 96 end
97 97 end
98 98
99 99 # Deletes file on the disk
100 100 def delete_from_disk
101 101 File.delete(diskfile) if !filename.blank? && File.exist?(diskfile)
102 102 end
103 103
104 104 # Returns file's location on disk
105 105 def diskfile
106 106 "#{@@storage_path}/#{self.disk_filename}"
107 107 end
108 108
109 109 def increment_download
110 110 increment!(:downloads)
111 111 end
112 112
113 113 def project
114 114 container.project
115 115 end
116 116
117 117 def visible?(user=User.current)
118 118 container.attachments_visible?(user)
119 119 end
120 120
121 121 def deletable?(user=User.current)
122 122 container.attachments_deletable?(user)
123 123 end
124 124
125 125 def image?
126 126 self.filename =~ /\.(bmp|gif|jpg|jpe|jpeg|png)$/i
127 127 end
128 128
129 129 def is_text?
130 130 Redmine::MimeType.is_type?('text', filename)
131 131 end
132 132
133 133 def is_diff?
134 134 self.filename =~ /\.(patch|diff)$/i
135 135 end
136 136
137 137 # Returns true if the file is readable
138 138 def readable?
139 139 File.readable?(diskfile)
140 140 end
141 141
142 142 # Bulk attaches a set of files to an object
143 143 #
144 144 # Returns a Hash of the results:
145 145 # :files => array of the attached files
146 146 # :unsaved => array of the files that could not be attached
147 147 def self.attach_files(obj, attachments)
148 148 attached = []
149 149 if attachments && attachments.is_a?(Hash)
150 150 attachments.each_value do |attachment|
151 151 file = attachment['file']
152 152 next unless file && file.size > 0
153 153 a = Attachment.create(:container => obj,
154 154 :file => file,
155 155 :description => attachment['description'].to_s.strip,
156 156 :author => User.current)
157 157 obj.attachments << a
158 158
159 159 if a.new_record?
160 160 obj.unsaved_attachments ||= []
161 161 obj.unsaved_attachments << a
162 162 else
163 163 attached << a
164 164 end
165 165 end
166 166 end
167 167 {:files => attached, :unsaved => obj.unsaved_attachments}
168 168 end
169 169
170 170 def self.latest_attach(attachments, filename)
171 171 attachments.sort_by(&:created_on).reverse.detect {
172 172 |att| att.filename.downcase == filename.downcase
173 173 }
174 174 end
175 175
176 176 private
177 177 def sanitize_filename(value)
178 178 # get only the filename, not the whole path
179 179 just_filename = value.gsub(/^.*(\\|\/)/, '')
180 # NOTE: File.basename doesn't work right with Windows paths on Unix
181 # INCORRECT: just_filename = File.basename(value.gsub('\\\\', '/'))
182 180
183 # Finally, replace all non alphanumeric, hyphens or periods with underscore
184 @filename = just_filename.gsub(/[^\w\.\-]/,'_')
181 # Finally, replace invalid characters with underscore
182 @filename = just_filename.gsub(/[\/\?\%\*\:\|\"\'<>]+/, '_')
185 183 end
186 184
187 185 # Returns an ASCII or hashed filename
188 186 def self.disk_filename(filename)
189 187 timestamp = DateTime.now.strftime("%y%m%d%H%M%S")
190 188 ascii = ''
191 189 if filename =~ %r{^[a-zA-Z0-9_\.\-]*$}
192 190 ascii = filename
193 191 else
194 192 ascii = Digest::MD5.hexdigest(filename)
195 193 # keep the extension if any
196 194 ascii << $1 if filename =~ %r{(\.[a-zA-Z0-9]+)$}
197 195 end
198 196 while File.exist?(File.join(@@storage_path, "#{timestamp}_#{ascii}"))
199 197 timestamp.succ!
200 198 end
201 199 "#{timestamp}_#{ascii}"
202 200 end
203 201 end
Show file before | Show file after | Hide comments
@@ -1,147 +1,168
1 1 # encoding: utf-8
2 2 #
3 3 # Redmine - project management software
4 4 # Copyright (C) 2006-2011 Jean-Philippe Lang
5 5 #
6 6 # This program is free software; you can redistribute it and/or
7 7 # modify it under the terms of the GNU General Public License
8 8 # as published by the Free Software Foundation; either version 2
9 9 # of the License, or (at your option) any later version.
10 10 #
11 11 # This program is distributed in the hope that it will be useful,
12 12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 14 # GNU General Public License for more details.
15 15 #
16 16 # You should have received a copy of the GNU General Public License
17 17 # along with this program; if not, write to the Free Software
18 18 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
19 19
20 20 require File.expand_path('../../test_helper', __FILE__)
21 21
22 22 class AttachmentTest < ActiveSupport::TestCase
23 23 fixtures :users, :projects, :roles, :members, :member_roles,
24 24 :enabled_modules, :issues, :trackers, :attachments
25
26 class MockFile
27 attr_reader :original_filename, :content_type, :content, :size
28
29 def initialize(attributes)
30 @original_filename = attributes[:original_filename]
31 @content_type = attributes[:content_type]
32 @content = attributes[:content] || "Content"
33 @size = content.size
34 end
35 end
25 36
26 37 def setup
27 38 set_tmp_attachments_directory
28 39 end
29 40
30 41 def test_create
31 42 a = Attachment.new(:container => Issue.find(1),
32 43 :file => uploaded_test_file("testfile.txt", "text/plain"),
33 44 :author => User.find(1))
34 45 assert a.save
35 46 assert_equal 'testfile.txt', a.filename
36 47 assert_equal 59, a.filesize
37 48 assert_equal 'text/plain', a.content_type
38 49 assert_equal 0, a.downloads
39 50 assert_equal '1478adae0d4eb06d35897518540e25d6', a.digest
40 51 assert File.exist?(a.diskfile)
41 52 assert_equal 59, File.size(a.diskfile)
42 53 end
43 54
44 55 def test_destroy
45 56 a = Attachment.new(:container => Issue.find(1),
46 57 :file => uploaded_test_file("testfile.txt", "text/plain"),
47 58 :author => User.find(1))
48 59 assert a.save
49 60 assert_equal 'testfile.txt', a.filename
50 61 assert_equal 59, a.filesize
51 62 assert_equal 'text/plain', a.content_type
52 63 assert_equal 0, a.downloads
53 64 assert_equal '1478adae0d4eb06d35897518540e25d6', a.digest
54 65 diskfile = a.diskfile
55 66 assert File.exist?(diskfile)
56 67 assert_equal 59, File.size(a.diskfile)
57 68 assert a.destroy
58 69 assert !File.exist?(diskfile)
59 70 end
60 71
61 72 def test_create_should_auto_assign_content_type
62 73 a = Attachment.new(:container => Issue.find(1),
63 74 :file => uploaded_test_file("testfile.txt", ""),
64 75 :author => User.find(1))
65 76 assert a.save
66 77 assert_equal 'text/plain', a.content_type
67 78 end
68 79
69 80 def test_identical_attachments_at_the_same_time_should_not_overwrite
70 81 a1 = Attachment.create!(:container => Issue.find(1),
71 82 :file => uploaded_test_file("testfile.txt", ""),
72 83 :author => User.find(1))
73 84 a2 = Attachment.create!(:container => Issue.find(1),
74 85 :file => uploaded_test_file("testfile.txt", ""),
75 86 :author => User.find(1))
76 87 assert a1.disk_filename != a2.disk_filename
77 88 end
89
90 def test_filename_should_be_basenamed
91 a = Attachment.new(:file => MockFile.new(:original_filename => "path/to/the/file"))
92 assert_equal 'file', a.filename
93 end
94
95 def test_filename_should_be_sanitized
96 a = Attachment.new(:file => MockFile.new(:original_filename => "valid:[] invalid:?%*|\"'<>chars"))
97 assert_equal 'valid_[] invalid_chars', a.filename
98 end
78 99
79 100 def test_diskfilename
80 101 assert Attachment.disk_filename("test_file.txt") =~ /^\d{12}_test_file.txt$/
81 102 assert_equal 'test_file.txt', Attachment.disk_filename("test_file.txt")[13..-1]
82 103 assert_equal '770c509475505f37c2b8fb6030434d6b.txt', Attachment.disk_filename("test_accentuΓ©.txt")[13..-1]
83 104 assert_equal 'f8139524ebb8f32e51976982cd20a85d', Attachment.disk_filename("test_accentuΓ©")[13..-1]
84 105 assert_equal 'cbb5b0f30978ba03731d61f9f6d10011', Attachment.disk_filename("test_accentuΓ©.Γ§a")[13..-1]
85 106 end
86 107
87 108 context "Attachmnet.attach_files" do
88 109 should "attach the file" do
89 110 issue = Issue.first
90 111 assert_difference 'Attachment.count' do
91 112 Attachment.attach_files(issue,
92 113 '1' => {
93 114 'file' => uploaded_test_file('testfile.txt', 'text/plain'),
94 115 'description' => 'test'
95 116 })
96 117 end
97 118
98 119 attachment = Attachment.first(:order => 'id DESC')
99 120 assert_equal issue, attachment.container
100 121 assert_equal 'testfile.txt', attachment.filename
101 122 assert_equal 59, attachment.filesize
102 123 assert_equal 'test', attachment.description
103 124 assert_equal 'text/plain', attachment.content_type
104 125 assert File.exists?(attachment.diskfile)
105 126 assert_equal 59, File.size(attachment.diskfile)
106 127 end
107 128
108 129 should "add unsaved files to the object as unsaved attachments" do
109 130 # Max size of 0 to force Attachment creation failures
110 131 with_settings(:attachment_max_size => 0) do
111 132 @project = Project.generate!
112 133 response = Attachment.attach_files(@project, {
113 134 '1' => {'file' => mock_file, 'description' => 'test'},
114 135 '2' => {'file' => mock_file, 'description' => 'test'}
115 136 })
116 137
117 138 assert response[:unsaved].present?
118 139 assert_equal 2, response[:unsaved].length
119 140 assert response[:unsaved].first.new_record?
120 141 assert response[:unsaved].second.new_record?
121 142 assert_equal response[:unsaved], @project.unsaved_attachments
122 143 end
123 144 end
124 145 end
125 146
126 147 def test_latest_attach
127 148 Attachment.storage_path = "#{Rails.root}/test/fixtures/files"
128 149 a1 = Attachment.find(16)
129 150 assert_equal "testfile.png", a1.filename
130 151 assert a1.readable?
131 152 assert (! a1.visible?(User.anonymous))
132 153 assert a1.visible?(User.find(2))
133 154 a2 = Attachment.find(17)
134 155 assert_equal "testfile.PNG", a2.filename
135 156 assert a2.readable?
136 157 assert (! a2.visible?(User.anonymous))
137 158 assert a2.visible?(User.find(2))
138 159 assert a1.created_on < a2.created_on
139 160
140 161 la1 = Attachment.latest_attach([a1, a2], "testfile.png")
141 162 assert_equal 17, la1.id
142 163 la2 = Attachment.latest_attach([a1, a2], "Testfile.PNG")
143 164 assert_equal 17, la2.id
144 165
145 166 set_tmp_attachments_directory
146 167 end
147 168 end
General Comments 0
You need to be logged in to leave comments. Login now