From d4f11f13f17580e7af4766d87726e75adfc3c1f5 Mon Sep 17 00:00:00 2001
From: Morgan Aubert <morgan.aubert@savoirfairelinux.com>
Date: Thu, 6 Apr 2017 13:09:37 -0400
Subject: [PATCH 1/3] Fixed #3524 -- Ensured that filenames are checked when
 downloading documents

---
 wagtail/wagtaildocs/tests.py       | 10 ++--------
 wagtail/wagtaildocs/views/serve.py |  8 +++++++-
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/wagtail/wagtaildocs/tests.py b/wagtail/wagtaildocs/tests.py
index 872f66ef9f..91ecfb8572 100644
--- a/wagtail/wagtaildocs/tests.py
+++ b/wagtail/wagtaildocs/tests.py
@@ -1067,7 +1067,7 @@ class TestServeView(TestCase):
         self.document.file.save('example.doc', ContentFile("A boring example document"))
 
     def get(self):
-        return self.client.get(reverse('wagtaildocs_serve', args=(self.document.id, 'example.doc')))
+        return self.client.get(reverse('wagtaildocs_serve', args=(self.document.id, self.document.filename)))
 
     def test_response_code(self):
         self.assertEqual(self.get().status_code, 200)
@@ -1104,14 +1104,8 @@ class TestServeView(TestCase):
         self.assertEqual(response.status_code, 404)
 
     def test_with_incorrect_filename(self):
-        """
-        Wagtail should be forgiving with filenames at the end of the URL. These
-        filenames are to make the URL look nice, and to provide a fallback for
-        browsers that do not handle the 'Content-Disposition' header filename
-        component. They should not be validated.
-        """
         response = self.client.get(reverse('wagtaildocs_serve', args=(self.document.id, 'incorrectfilename')))
-        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.status_code, 404)
 
     def clear_sendfile_cache(self):
         from wagtail.utils.sendfile import _get_sendfile
diff --git a/wagtail/wagtaildocs/views/serve.py b/wagtail/wagtaildocs/views/serve.py
index 66a1abd43b..7ef4d08f15 100644
--- a/wagtail/wagtaildocs/views/serve.py
+++ b/wagtail/wagtaildocs/views/serve.py
@@ -3,7 +3,7 @@ from __future__ import absolute_import, unicode_literals
 from wsgiref.util import FileWrapper
 
 from django.conf import settings
-from django.http import BadHeaderError, StreamingHttpResponse
+from django.http import BadHeaderError, Http404, StreamingHttpResponse
 from django.shortcuts import get_object_or_404
 from unidecode import unidecode
 
@@ -16,6 +16,12 @@ def serve(request, document_id, document_filename):
     Document = get_document_model()
     doc = get_object_or_404(Document, id=document_id)
 
+    # We want to ensure that the document filename provided in the URL matches the one associated with the considered
+    # document_id. If not we can't be sure that the document the user wants to access is the one corresponding to the
+    # <document_id, document_filename> pair.
+    if doc.filename != document_filename:
+        raise Http404
+
     # Send document_served signal
     document_served.send(sender=Document, instance=doc, request=request)
 

From 7484f2ea1ea94c8423f8fe041db1f73453469eea Mon Sep 17 00:00:00 2001
From: Morgan Aubert <morgan.aubert@savoirfairelinux.com>
Date: Thu, 6 Apr 2017 13:36:28 -0400
Subject: [PATCH 2/3] Updated the message for the Http404 error raised in the
 wagtaildocs's serve view

---
 wagtail/wagtaildocs/views/serve.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wagtail/wagtaildocs/views/serve.py b/wagtail/wagtaildocs/views/serve.py
index 7ef4d08f15..d3e163c4f2 100644
--- a/wagtail/wagtaildocs/views/serve.py
+++ b/wagtail/wagtaildocs/views/serve.py
@@ -20,7 +20,7 @@ def serve(request, document_id, document_filename):
     # document_id. If not we can't be sure that the document the user wants to access is the one corresponding to the
     # <document_id, document_filename> pair.
     if doc.filename != document_filename:
-        raise Http404
+        raise Http404('This document does not match the given filename.')
 
     # Send document_served signal
     document_served.send(sender=Document, instance=doc, request=request)

From f0bfadf83ea8c3f83f67753746227861dc3f1650 Mon Sep 17 00:00:00 2001
From: Morgan Aubert <morgan.aubert@savoirfairelinux.com>
Date: Thu, 6 Apr 2017 13:51:54 -0400
Subject: [PATCH 3/3] Updated TestServeViewWithSendfile testcase

---
 wagtail/wagtaildocs/tests.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wagtail/wagtaildocs/tests.py b/wagtail/wagtaildocs/tests.py
index 91ecfb8572..fdd908cd20 100644
--- a/wagtail/wagtaildocs/tests.py
+++ b/wagtail/wagtaildocs/tests.py
@@ -1125,7 +1125,7 @@ class TestServeViewWithSendfile(TestCase):
         self.document.file.save('example.doc', ContentFile("A boring example document"))
 
     def get(self):
-        return self.client.get(reverse('wagtaildocs_serve', args=(self.document.id, 'example.doc')))
+        return self.client.get(reverse('wagtaildocs_serve', args=(self.document.id, self.document.filename)))
 
     def clear_sendfile_cache(self):
         from wagtail.utils.sendfile import _get_sendfile