django-formset icon indicating copy to clipboard operation
django-formset copied to clipboard

Published 20 hours ago verified publisher icon jrief

File upload using attribute `accept = image/jpeg`

Open jrief opened this issue 1 year ago • 1 comments

If the file upload uses attribute {'accept': 'image/jpeg'} it still is possible to upload files using drag & drop. There should be a better validation.

jrief avatar Jan 25 '24 14:01 jrief

Just sharing my bandaid solution here:

This still continues to upload the file in upload temp. But it successfully prompts users that Upload Fail and it fails to update the Download Button href. Thus, for security checks of the system it will avoid other people from "officially" uploading unwanted filetypes as well download them

class FormViewMixin
	def _receive_uploaded_file(self, file_obj, image_height=None):
		response = super()._receive_uploaded_file(file_obj, image_height)
		_data = json.loads(response.content)
		allowed_content_types = ["application/pdf", "image/png", "image/jpeg"]
		if _data['content_type'] in allowed_content_types:
			return response

codematsing avatar Jul 17 '24 18:07 codematsing

Version 1.5.5 now offer a fully working solution for this.

jrief avatar Oct 07 '24 07:10 jrief