From c2960665c4b467fbdb1cb7528669826b89fa74bc Mon Sep 17 00:00:00 2001 From: Timon Engelke Date: Mon, 15 Apr 2019 17:18:07 +0200 Subject: [PATCH] Validate ZIP files by magic number instead of file extension --- imagetagger/imagetagger/images/views.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/imagetagger/imagetagger/images/views.py b/imagetagger/imagetagger/images/views.py index a6e09971..eec69cac 100644 --- a/imagetagger/imagetagger/images/views.py +++ b/imagetagger/imagetagger/images/views.py @@ -189,8 +189,7 @@ def upload_image(request, imageset_id): 'unsupported': False, 'zip': False, } - fname = f.name.split('.') - if fname[-1] == 'zip': + if f.peek(4) == b'PK\x03\x04': # ZIP file magic number error['zip'] = True zipname = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase + @@ -267,6 +266,7 @@ def upload_image(request, imageset_id): # tests for duplicats in imageset if Image.objects.filter(checksum=fchecksum, image_set=imageset)\ .count() == 0: + fname = f.name.split('.') fname = ('_'.join(fname[:-1]) + '_' + ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase + string.digits) for _ in range(6)) + '.' + fname[-1])