From 8e9c77b3640dcb1348871fbb23ce8e3dd55eec01 Mon Sep 17 00:00:00 2001 From: Terrtia Date: Wed, 6 Jun 2018 10:05:25 +0200 Subject: [PATCH] verify file upload extention --- var/www/Flask_server.py | 4 +- .../modules/PasteSubmit/Flask_PasteSubmit.py | 83 +++++++++++-------- .../PasteSubmit/templates/PasteSubmit.html | 2 +- .../PasteSubmit/templates/submiting.html | 1 + 4 files changed, 54 insertions(+), 36 deletions(-) diff --git a/var/www/Flask_server.py b/var/www/Flask_server.py index 077c3ea3..60244814 100755 --- a/var/www/Flask_server.py +++ b/var/www/Flask_server.py @@ -131,9 +131,9 @@ taxonomies = Taxonomies() for tag in taxonomies.get('infoleak').machinetags(): r_serv_tags.sadd('active_tag_infoleak', tag) for tag in taxonomies.get('gdpr').machinetags(): - r_serv_tags.sadd('active_tag_infoleak', tag) + r_serv_tags.sadd('active_tag_gdpr', tag) for tag in taxonomies.get('fpf').machinetags(): - r_serv_tags.sadd('active_tag_infoleak', tag) + r_serv_tags.sadd('active_tag_fpf', tag) # ============ MAIN ============ diff --git a/var/www/modules/PasteSubmit/Flask_PasteSubmit.py b/var/www/modules/PasteSubmit/Flask_PasteSubmit.py index d86c168e..1816d85c 100644 --- a/var/www/modules/PasteSubmit/Flask_PasteSubmit.py +++ b/var/www/modules/PasteSubmit/Flask_PasteSubmit.py @@ -5,7 +5,7 @@ Flask functions and routes for the trending modules page ''' import redis -from flask import Flask, render_template, jsonify, request, Blueprint, session +from flask import Flask, render_template, jsonify, request, Blueprint '''import random''' @@ -31,10 +31,16 @@ PasteSubmit = Blueprint('PasteSubmit', __name__, template_folder='templates') valid_filename_chars = "-_ %s%s" % (string.ascii_letters, string.digits) +ALLOWED_EXTENSIONS = set(['txt', 'zip', 'gzip']) + # ============ FUNCTIONS ============ def one(): return 1 +def allowed_file(filename): + return '.' in filename and \ + filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS + def clean_filename(filename, whitelist=valid_filename_chars, replace=' '): # replace characters for r in replace: @@ -123,47 +129,58 @@ def submit(): ltagsgalaxies = request.form['tags_galaxies'] paste_content = request.form['paste_content'] - if paste_content != '': - if sys.getsizeof(paste_content) < 900000: + if ltags or ltagsgalaxies: + if not addTagsVerification(ltags, ltagsgalaxies): + return 'INVALID TAGS' - if ltags or ltagsgalaxies: - if not addTagsVerification(ltags, ltagsgalaxies): - return 'INVALID TAGS' + if 'file' not in request.files: - to_launch = os.environ['AIL_BIN'] + 'submit_paste.py' - # get id - id = str(r_serv_tags.get('submit_id')) + file = request.files['file'] - if paste_name: - # clean file name - id = clean_filename(paste_name) + if file.filename == '': - # create logs - r_serv_log_submit.set(id + ':end', 0) - r_serv_log_submit.set(id + ':nb_total', 1) - r_serv_log_submit.set(id + ':nb_end', 0) - r_serv_log_submit.set(id + ':error', 'error:') + if paste_content != '': + if sys.getsizeof(paste_content) < 900000: - #incr id - r_serv_tags.incr('submit_id') + to_launch = os.environ['AIL_BIN'] + 'submit_paste.py' + # get id + id = str(r_serv_tags.get('submit_id')) - # add submitted tags - if(ltags != ''): - ltags = ltags + ',submitted' - else: - ltags ='submitted' - - # launch process - process = subprocess.Popen(["python", to_launch, ltags, ltagsgalaxies, paste_content, paste_name, id], - stdout=subprocess.PIPE) + if paste_name: + # clean file name + id = clean_filename(paste_name) - return render_template("submiting.html", - id = id) + # create logs + r_serv_log_submit.set(id + ':end', 0) + r_serv_log_submit.set(id + ':nb_total', 1) + r_serv_log_submit.set(id + ':nb_end', 0) + r_serv_log_submit.set(id + ':error', 'error:') - else: - return 'size error' + #incr id + r_serv_tags.incr('submit_id') - return 'submit' + # add submitted tags + if(ltags != ''): + ltags = ltags + ',submitted' + else: + ltags ='submitted' + + # launch process + process = subprocess.Popen(["python", to_launch, ltags, ltagsgalaxies, paste_content, paste_name, id], + stdout=subprocess.PIPE) + + return render_template("submiting.html", + id = id) + + else: + return 'size error' + + return 'submit' + + if file and allowed_file(file.filename): + print(file.read()) + + return 'error' @PasteSubmit.route("/PasteSubmit/submit_status", methods=['GET']) def submit_status(): diff --git a/var/www/modules/PasteSubmit/templates/PasteSubmit.html b/var/www/modules/PasteSubmit/templates/PasteSubmit.html index 338ef693..b2d01a6e 100644 --- a/var/www/modules/PasteSubmit/templates/PasteSubmit.html +++ b/var/www/modules/PasteSubmit/templates/PasteSubmit.html @@ -30,7 +30,7 @@
-
+ diff --git a/var/www/modules/PasteSubmit/templates/submiting.html b/var/www/modules/PasteSubmit/templates/submiting.html index 78430d7d..31062b9b 100644 --- a/var/www/modules/PasteSubmit/templates/submiting.html +++ b/var/www/modules/PasteSubmit/templates/submiting.html @@ -292,6 +292,7 @@ function submitPaste(){ } } else { //error handler + document.getElementById('files_submitted').innerHTML = in_progress; if(isError){ document.getElementById('error_message').innerHTML = error; $("#panel_error").removeClass('hidden');