Merge pull request #3528 from savoirfairelinux/fix-3524

Fixed #3524 -- Ensured that filenames are checked when downloading documents
2024-12-01 11:41:20 +01:00 · 2017-04-12 11:35:41 +02:00 · 2017-04-12 11:35:41 +02:00 · d1b2d0eb91
commit d1b2d0eb91
parent 6630d4b66c f0bfadf83e
2 changed files with 10 additions and 10 deletions
--- a/wagtail/wagtaildocs/tests.py
+++ b/wagtail/wagtaildocs/tests.py
@ -1067,7 +1067,7 @@ class TestServeView(TestCase):
        self.document.file.save('example.doc', ContentFile("A boring example document"))

    def get(self):
-        return self.client.get(reverse('wagtaildocs_serve', args=(self.document.id, 'example.doc')))
+        return self.client.get(reverse('wagtaildocs_serve', args=(self.document.id, self.document.filename)))

    def test_response_code(self):
        self.assertEqual(self.get().status_code, 200)
@ -1104,14 +1104,8 @@ class TestServeView(TestCase):
        self.assertEqual(response.status_code, 404)

    def test_with_incorrect_filename(self):
-        """
-        Wagtail should be forgiving with filenames at the end of the URL. These
-        filenames are to make the URL look nice, and to provide a fallback for
-        browsers that do not handle the 'Content-Disposition' header filename
-        component. They should not be validated.
-        """
        response = self.client.get(reverse('wagtaildocs_serve', args=(self.document.id, 'incorrectfilename')))
-        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.status_code, 404)

    def clear_sendfile_cache(self):
        from wagtail.utils.sendfile import _get_sendfile
@ -1131,7 +1125,7 @@ class TestServeViewWithSendfile(TestCase):
        self.document.file.save('example.doc', ContentFile("A boring example document"))

    def get(self):
-        return self.client.get(reverse('wagtaildocs_serve', args=(self.document.id, 'example.doc')))
+        return self.client.get(reverse('wagtaildocs_serve', args=(self.document.id, self.document.filename)))

    def clear_sendfile_cache(self):
        from wagtail.utils.sendfile import _get_sendfile
--- a/wagtail/wagtaildocs/views/serve.py
+++ b/wagtail/wagtaildocs/views/serve.py
@ -3,7 +3,7 @@ from __future__ import absolute_import, unicode_literals
 from wsgiref.util import FileWrapper

 from django.conf import settings
-from django.http import BadHeaderError, StreamingHttpResponse
+from django.http import BadHeaderError, Http404, StreamingHttpResponse
 from django.shortcuts import get_object_or_404
 from unidecode import unidecode

@ -16,6 +16,12 @@ def serve(request, document_id, document_filename):
    Document = get_document_model()
    doc = get_object_or_404(Document, id=document_id)

+    # We want to ensure that the document filename provided in the URL matches the one associated with the considered
+    # document_id. If not we can't be sure that the document the user wants to access is the one corresponding to the
+    # <document_id, document_filename> pair.
+    if doc.filename != document_filename:
+        raise Http404('This document does not match the given filename.')
+
    # Send document_served signal
    document_served.send(sender=Document, instance=doc, request=request)