From ca7595e614767ba3366dc0a87f8b61c8947c7fea Mon Sep 17 00:00:00 2001
From: man13 <man13@inf.ufpr.br>
Date: Mon, 21 Mar 2016 10:48:03 -0300
Subject: [PATCH] adding mime types validations on controller

Signed-off-by: man13 <man13@inf.ufpr.br>
---
 app/controllers/chunks_controller.rb | 30 ++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/app/controllers/chunks_controller.rb b/app/controllers/chunks_controller.rb
index 1a291da3..0752a533 100644
--- a/app/controllers/chunks_controller.rb
+++ b/app/controllers/chunks_controller.rb
@@ -7,19 +7,26 @@ class ChunksController < ApplicationController
   def show
     chunk = resumable_chunk chunk_number
 
-    if File.exists?(chunk)
-      post_file_and_create_thumbnail @learning_object, resumable_filename if last_chunk?
-      #Let resumable.js know this chunk already exists
-      render :nothing => true, :status => 200
+    unless valid_mime_type?
+      render :nothing => true, :status => 415
     else
-      #Let resumable.js know this chunk doesnt exists and needs to be uploaded
-      render :nothing => true, :status => 404
+      if File.exists?(chunk)
+        post_file_and_create_thumbnail @learning_object, resumable_filename if last_chunk?
+        #Let resumable.js know this chunk already exists
+        render :nothing => true, :status => 200
+      else
+        #Let resumable.js know this chunk doesnt exists and needs to be uploaded
+        render :nothing => true, :status => 404
+      end
     end
-
   end
-
   #POST /chunk
   def create
+
+    unless valid_mime_type?
+      return render :nothing => true, :status => 415
+    end
+
     #chunk path based on the parameters
     chunk = resumable_chunk chunk_number
 
@@ -101,6 +108,13 @@ class ChunksController < ApplicationController
     @learning_object = LearningObject.find chunks_params[:learning_object_id]
   end
 
+  def resumable_file_extension
+    File.extname(chunks_params[:resumableFilename]).tr('.','')
+  end
+
+  def valid_mime_type?
+    @learning_object.object_type.mime_types.map(&:extension).include? resumable_file_extension
+  end
   # Never trust parameters from the scary internet, only allow the white list through.
   def chunks_params
     params.permit(:file, :learning_object_id, :resumableIdentifier, :resumableFilename, :resumableChunkNumber, :resumableTotalChunks, :resumableChunkSize)
-- 
GitLab