diff options
| -rw-r--r-- | app/controllers/request_controller.rb | 9 | ||||
| -rw-r--r-- | spec/controllers/request_controller_spec.rb | 15 |
2 files changed, 19 insertions, 5 deletions
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index c35e1688e..513c3716a 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -4,7 +4,7 @@ # Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved. # Email: francis@mysociety.org; WWW: http://www.mysociety.org/ # -# $Id: request_controller.rb,v 1.172 2009-09-02 17:00:51 francis Exp $ +# $Id: request_controller.rb,v 1.173 2009-09-02 23:21:27 francis Exp $ class RequestController < ApplicationController @@ -577,8 +577,11 @@ class RequestController < ApplicationController @attachment = IncomingMessage.get_attachment_by_url_part_number(@incoming_message.get_attachments_for_display, @part_number) - # Prevent spam to magic request address. - # It's a bit dodgy modifying a binary like this but hey. Some mime types are excluded for that reason. + # check filename in URL matches that in database (use a censor rule if you want to change a filename) + raise "please use same filename as original file has" if @attachment.display_filename != @original_filename + + # Prevent spam to magic request address. Note that the binary + # subsitution method used depends on the content type @attachment.body = @incoming_message.binary_mask_stuff(@attachment.body, @attachment.content_type) @attachment_url = get_attachment_url(:id => @incoming_message.info_request_id, diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb index 783890b40..d0afe00ce 100644 --- a/spec/controllers/request_controller_spec.rb +++ b/spec/controllers/request_controller_spec.rb @@ -102,14 +102,25 @@ describe RequestController, "when showing one request" do get :show, :url_title => 'why_do_you_have_such_a_fancy_dog' (assigns[:info_request_events].size - size_before).should == 1 - get :get_attachment, :incoming_message_id => ir.incoming_messages[1].id, :id => ir.id, :part => 2, :file_name => ['foo.txt'] + get :get_attachment, :incoming_message_id => ir.incoming_messages[1].id, :id => ir.id, :part => 2, :file_name => ['hello.txt'] response.content_type.should == "text/plain" response.should have_text(/Second hello/) - get :get_attachment, :incoming_message_id => ir.incoming_messages[1].id, :id => ir.id, :part => 3, :file_name => ['bar.txt'] + get :get_attachment, :incoming_message_id => ir.incoming_messages[1].id, :id => ir.id, :part => 3, :file_name => ['hello.txt'] response.content_type.should == "text/plain" response.should have_text(/First hello/) end + it "should not download attachments with wrong file name" do + ir = info_requests(:fancy_dog_request) + receive_incoming_mail('incoming-request-two-same-name.email', ir.incoming_email) + + lambda { + get :get_attachment, :incoming_message_id => ir.incoming_messages[1].id, :id => ir.id, :part => 2, + :file_name => ['http://trying.to.hack'] + }.should raise_error(RuntimeError) + end + + end end |