check file size before unzipping and then check its the correct size after (bug 625801)

apps/files/tests/test_helpers.py

@@ -6,8 +6,9 @@ import tempfile
 
 from django.conf import settings
 from django.core.cache import cache
+from django import forms
 
-from mock import Mock, patch, patch_object
+from mock import Mock, patch
 from nose.tools import eq_
 import test_utils
 
@@ -162,7 +163,7 @@ class TestFileHelper(test_utils.TestCase):
         rt = files.index(u'chrome')
         eq_(files[rt:rt + 3], [u'chrome', u'chrome/foo', u'chrome.manifest'])
 
-    @patch_object(settings._wrapped, 'FILE_VIEWER_SIZE_LIMIT', 5)
+    @patch.object(settings._wrapped, 'FILE_VIEWER_SIZE_LIMIT', 5)
     def test_file_size(self):
         self.viewer.extract()
         self.viewer.get_files()
@@ -171,6 +172,10 @@ class TestFileHelper(test_utils.TestCase):
         eq_(res, '')
         assert self.viewer.selected['msg'].startswith('File size is')
 
+    @patch.object(settings._wrapped, 'FILE_UNZIP_SIZE_LIMIT', 5)
+    def test_contents_size(self):
+        self.assertRaises(forms.ValidationError, self.viewer.extract)
+
     def test_default(self):
         eq_(self.viewer.get_default(None), 'install.rdf')
 

apps/files/utils.py

@@ -6,6 +6,7 @@ import logging
 import os
 import re
 import shutil
+import stat
 import tempfile
 import zipfile
 from datetime import datetime
@@ -14,6 +15,7 @@ from xml.dom import minidom
 from zipfile import BadZipfile
 
 from django import forms
+from django.conf import settings
 
 import rdflib
 import redisutils
@@ -152,11 +154,28 @@ def extract_zip(source, remove=False, fatal=True):
             raise
         return None
 
-    for f in zip.namelist():
-        if '..' in f or f.startswith('/'):
+    for info in zip.infolist():
+        if '..' in info.filename or info.filename.startswith('/'):
             log.error('Extraction error, Invalid archive: %s' % source)
             raise forms.ValidationError(_('Invalid archive.'))
-    zip.extractall(tempdir)
+
+        if info.file_size > settings.FILE_UNZIP_SIZE_LIMIT:
+            log.error('Extraction error, file too big: %s, %s'
+                      % (source, info.file_size))
+            raise forms.ValidationError(_('Invalid archive.'))
+
+        zip.extract(info, tempdir)
+
+        # TODO (andym): find a way to test this.
+        dest = os.path.join(tempdir, info.filename)
+        if os.path.isdir(dest):
+            # Directories consistently report their size incorrectly.
+            continue
+        size = os.stat(dest)[stat.ST_SIZE]
+        if size != info.file_size:
+            log.error('Extraction error, uncompressed size: %s, %s not %s'
+                      % (source, size, info.file_size))
+            raise forms.ValidationError(_('Invalid archive.'))
 
     if remove:
         os.remove(source)

settings.py

@@ -934,7 +934,10 @@ BLOCKLIST_COOKIE = 'BLOCKLIST_v1'
 # Responsys id used for newsletter subscribing
 RESPONSYS_ID = ''
 
+# The maximum file size that is shown inside the file viewer.
 FILE_VIEWER_SIZE_LIMIT = 1048576
+# The maximum file size that you can have inside a zip file.
+FILE_UNZIP_SIZE_LIMIT = 10485760
 
 # How long to delay modify updates to cope with alleged NFS slowness.
 MODIFIED_DELAY = 3