Skip to content

Commit 4c50579

Browse files
ndd-odooroyle-vietnam
andauthoredJun 26, 2024
[IMP] mail: control file type to upload (#1)
* [IMP] mail: control file type to upload -Before this commit: user can upload any file type they want, problem is someone might upload virus file like html one which contain toxic code -After this commit: provide a way to config which file types is blacklist (can't be uploaded) by using system parameter call "mail.blacklist_file_types" * Update addons/mail/controllers/discuss.py --------- Co-authored-by: Roy Le <[email protected]>
1 parent 2528b6b commit 4c50579

File tree

3 files changed

+28
-0
lines changed

3 files changed

+28
-0
lines changed
 

‎addons/mail/controllers/discuss.py

+16
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,8 @@
1515
from odoo.tools.translate import _
1616
from werkzeug.exceptions import NotFound
1717

18+
DEFAULT_BLACKLIST_FILE_TYPE = ['text/html', 'text/javascript']
19+
1820

1921
class DiscussController(http.Controller):
2022

@@ -237,6 +239,20 @@ def mail_message_update_content(self, message_id, body, attachment_ids, attachme
237239

238240
@http.route('/mail/attachment/upload', methods=['POST'], type='http', auth='public')
239241
def mail_attachment_upload(self, ufile, thread_id, thread_model, is_pending=False, **kwargs):
242+
# BEGIN OVERIDE
243+
blacklist_file_types = request.env['ir.config_parameter'].sudo().get_param(
244+
'mail.blacklist_file_types',
245+
default=DEFAULT_BLACKLIST_FILE_TYPE)
246+
if isinstance(blacklist_file_types, str):
247+
blacklist_file_types = blacklist_file_types.split(',')
248+
# TODO: create a module if making pr for odoo not working
249+
if any(blacklist_type in ufile.mimetype for blacklist_type in blacklist_file_types):
250+
attachmentData = {'error': _("You are not allowed to upload attachment with extension %s here.", ufile.mimetype)}
251+
return request.make_response(
252+
data=json.dumps(attachmentData),
253+
headers=[('Content-Type', 'application/json')]
254+
)
255+
# END OVERIDE
240256
channel_partner = request.env['mail.channel.partner']
241257
if thread_model == 'mail.channel':
242258
channel_partner = request.env['mail.channel.partner']._get_as_sudo_from_request_or_raise(request=request, channel_id=int(thread_id))

‎addons/mail/i18n/mail.pot

+6
Original file line numberDiff line numberDiff line change
@@ -7557,6 +7557,12 @@ msgstr ""
75577557
msgid "You are not allowed to upload an attachment here."
75587558
msgstr ""
75597559

7560+
#. module: mail
7561+
#: code:addons/mail/controllers/discuss.py:0
7562+
#, python-format
7563+
msgid "You are not allowed to upload attachment with extension %s here."
7564+
msgstr ""
7565+
75607566
#. module: mail
75617567
#. openerp-web
75627568
#: code:addons/mail/static/src/models/discuss_sidebar_category_item/discuss_sidebar_category_item.js:0

‎addons/mail/i18n/vi.po

+6
Original file line numberDiff line numberDiff line change
@@ -7887,6 +7887,12 @@ msgstr "Bạn đang ở kênh <b>#%s</b>."
78877887
msgid "You are not allowed to upload an attachment here."
78887888
msgstr "Bạn không có quyền tải lên file đính kèm ở đây."
78897889

7890+
#. module: mail
7891+
#: code:addons/mail/controllers/discuss.py:0
7892+
#, python-format
7893+
msgid "You are not allowed to upload attachment with extension %s here."
7894+
msgstr "Bạn không có quyền tải lên file đính kèm có đuôi mở rộng loại %s ở đây."
7895+
78907896
#. module: mail
78917897
#. openerp-web
78927898
#: code:addons/mail/static/src/models/discuss_sidebar_category_item/discuss_sidebar_category_item.js:0

0 commit comments

Comments
 (0)
Please sign in to comment.