Check MIME types for file uploads

See: #201
2026-03-21 22:32:17 +00:00 · 2025-10-29 03:11:21 +01:00 · 2025-10-29 03:11:21 +01:00 · 6ec1f1ab30
commit 6ec1f1ab30
parent 8cac73c331
5 changed files with 14 additions and 6 deletions
--- a/2
+++ b/2
@ -30,7 +30,7 @@ ARG SITE

 RUN --mount=type=cache,target=/root/.cache/pip \
  apk add --no-cache lighttpd && \
-	python -m pip install legacy-cgi itsdangerous requests
+	python -m pip install legacy-cgi itsdangerous requests python-libmagic

 COPY --from=build /build/dist /www/
 COPY cgi-bin /cgi-bin/
--- a/cgi-bin/form.py
+++ b/cgi-bin/form.py
@ -16,6 +16,7 @@ from urllib.parse import urljoin
 import cgi
 import itsdangerous
 import requests
+import magic


 def fail(status: str, reason: str) -> None:
@ -38,6 +39,7 @@ HONEYPOT_FIELD_NAME = "addressline1"
 # This regex merely validates what the in-browser form validation already checks and
 # isn't all too strict.
 EMAIL_REGEX = re.compile(r"^[^ ]+@[^ ]+\.[^ ]+$")
+VALID_MIME_TYPES = ("image/jpeg", "image/png", "application/pdf")

 # Mapping from site-defined devices (see sites/angestoepselt/_data/config.json in this
 # repository) to the corresponding Zammad categories:
@ -125,6 +127,7 @@ match os.environ.get("REQUEST_METHOD", "").upper():
 					print(f'<div class="h-captcha" data-sitekey="{os.environ.get("HCAPTCHA_SITE_KEY", "")}"></div>')
 					print(f'</div>')
 				else:
+					line = re.sub(r"<!--\s*input_accept\s*-->", f'accept="{', '.join(VALID_MIME_TYPES)}"', line, flags=re.IGNORECASE)
 					print(line)

 		exit(0)
@ -169,7 +172,12 @@ def get_form_value(
 			or not value_object.file
 		):
 			fail("400 Bad Request", f"Invalid value for field: {name}")
-		return (value_object.filename or "upload"), value_object.file.read()
+		data = value_object.file.read()
+		with magic.Magic() as magic_instance:
+			mime_type = magic_instance.from_buffer(data)
+			if mime_type not in VALID_MIME_TYPES:
+				fail("400 Bad Request", f"Invalid MIME type {mime_type} for upload: {name}")
+		return (value_object.filename or "upload"), data
 	else:
 		try:
 			result = cast(form.getfirst(name))
@ -395,7 +403,7 @@ try:

 	print("Status: 302 Found")
 	print("Content-Type: text/html")
-	print("Location: /kontakt/fertig")
+	print(f"Location: /kontakt/fertig")
 	print("")
 except Exception as e:
 	fail("500 Internal Server Error", str(e))
--- a/sites/angestoepselt/computer-beantragen/privat.md
+++ b/sites/angestoepselt/computer-beantragen/privat.md
@ -68,7 +68,7 @@ eingescannt als PDF.

 <label class="form-input">
  <span>Nachweis hochladen:</span>
-  <input type="file" name="document" required />
+  <input type="file" name="document" required <!-- INPUT_ACCEPT --> />
 </label>

 Bitte gib uns jetzt noch deine Anschrift. Das sollte die gleiche sein, die auch
--- a/sites/angestoepselt/hardware-spenden/organisation.md
+++ b/sites/angestoepselt/hardware-spenden/organisation.md
@ -32,7 +32,7 @@ kein Problem.

 <label class="form-input">
  <span>Inventarliste:</span>
-  <input type="file" name="inventory" />
+  <input type="file" name="inventory" <!-- INPUT_ACCEPT --> />
 </label>

 <label class="form-input">
--- a/sites/angestoepselt/mitmachen/beitreten.md
+++ b/sites/angestoepselt/mitmachen/beitreten.md
@ -97,7 +97,7 @@ fülle das [Lastschriftmandat](/assets/Lastschriftmandat.pdf) aus (entweder ausg
 </label>
 <label class="form-input" data-payment>
  <span>SEPA-Lastschriftmandat:</span>
-  <input type="file" name="document" />
+  <input type="file" name="document" <!-- INPUT_ACCEPT --> />
 </label>

 Noch kurz ein paar Hinweise zum Datenschutz: