zulip/zerver/views/upload.py

# -*- coding: utf-8 -*-

from django.http import HttpRequest, HttpResponse, HttpResponseForbidden, FileResponse, \
    HttpResponseNotFound
from django.shortcuts import redirect
from django.utils.translation import ugettext as _

from zerver.lib.request import has_request_variables, REQ
from zerver.lib.response import json_success, json_error
from zerver.lib.upload import upload_message_image_from_request, get_local_file_path, \
    get_signed_upload_url, get_realm_for_filename, check_upload_within_quota
from zerver.lib.validator import check_bool
from zerver.models import UserProfile, validate_attachment_request
from django.conf import settings
from sendfile import sendfile
from mimetypes import guess_type

def serve_s3(request: HttpRequest, url_path: str) -> HttpResponse:
    uri = get_signed_upload_url(url_path)
    return redirect(uri)

def serve_local(request: HttpRequest, path_id: str) -> HttpResponse:
    local_path = get_local_file_path(path_id)
    if local_path is None:
        return HttpResponseNotFound('<p>File not found</p>')

    # Here we determine whether a browser should treat the file like
    # an attachment (and thus clicking a link to it should download)
    # or like a link (and thus clicking a link to it should display it
    # in a browser tab).  This is controlled by the
    # Content-Disposition header; `django-sendfile` sends the
    # attachment-style version of that header if and only if the
    # attachment argument is passed to it.  For attachments,
    # django-sendfile sets the response['Content-disposition'] like
    # this: `attachment; filename="b'zulip.txt'"; filename*=UTF-8''zulip.txt`.
    #
    # The "filename" field (used to name the file when downloaded) is
    # unreliable because it doesn't have a well-defined encoding; the
    # newer filename* field takes precedence, since it uses a
    # consistent format (urlquoted).  For more details on filename*
    # and filename, see the below docs:
    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition
    attachment = True
    file_type = guess_type(local_path)[0]
    if file_type is not None and (file_type.startswith("image/") or
                                  file_type == "application/pdf"):
        attachment = False

    return sendfile(request, local_path, attachment=attachment)

@has_request_variables
def serve_file_backend(request: HttpRequest, user_profile: UserProfile,
                       realm_id_str: str, filename: str) -> HttpResponse:
    path_id = "%s/%s" % (realm_id_str, filename)
    is_authorized = validate_attachment_request(user_profile, path_id)

    if is_authorized is None:
        return HttpResponseNotFound(_("<p>File not found.</p>"))
    if not is_authorized:
        return HttpResponseForbidden(_("<p>You are not authorized to view this file.</p>"))
    if settings.LOCAL_UPLOADS_DIR is not None:
        return serve_local(request, path_id)

    return serve_s3(request, path_id)

def upload_file_backend(request: HttpRequest, user_profile: UserProfile) -> HttpResponse:
    if len(request.FILES) == 0:
        return json_error(_("You must specify a file to upload"))
    if len(request.FILES) != 1:
        return json_error(_("You may only upload one file at a time"))

    user_file = list(request.FILES.values())[0]
    file_size = user_file._get_size()
    if settings.MAX_FILE_UPLOAD_SIZE * 1024 * 1024 < file_size:
        return json_error(_("Uploaded file is larger than the allowed limit of %s MB") % (
            settings.MAX_FILE_UPLOAD_SIZE))
    check_upload_within_quota(user_profile.realm, file_size)

    if not isinstance(user_file.name, str):
        # It seems that in Python 2 unicode strings containing bytes are
        # rendered differently than ascii strings containing same bytes.
        #
        # Example:
        # >>> print('\xd3\x92')
        # Ӓ
        # >>> print(u'\xd3\x92')
        # Ó
        #
        # This is the cause of the problem as user_file.name variable
        # is received as a unicode which is converted into unicode
        # strings containing bytes and is rendered incorrectly.
        #
        # Example:
        # >>> import urllib.parse
        # >>> name = u'%D0%97%D0%B4%D1%80%D0%B0%D0%B2%D0%B5%D0%B8%CC%86%D1%82%D0%B5.txt'
        # >>> print(urllib.parse.unquote(name))
        # ÐÐ´ÑÐ°Ð²ÐµÐ¸ÌÑÐµ  # This is wrong
        #
        # >>> name = '%D0%97%D0%B4%D1%80%D0%B0%D0%B2%D0%B5%D0%B8%CC%86%D1%82%D0%B5.txt'
        # >>> print(urllib.parse.unquote(name))
        # Здравейте.txt  # This is correct
        user_file.name = user_file.name.encode('ascii')

    uri = upload_message_image_from_request(request, user_file, user_profile)
    return json_success({'uri': uri})
Url encoded name of the file should be an ascii. The url encoded name of the file should not be a unicode. This results in an error when we later try to unquote it. Fixes: #1803 2016-09-19 13:31:40 +02:00			`# -- coding: utf-8 --`
Refactor file upload routes to their own file. 2016-06-07 01:09:05 +02:00
Serve uploaded files through get_uploaded_file in development. Previously, uploaded files were served: * With S3UploadBackend, via get_uploaded_file (redirects to S3) * With LocalUploadBackend in production, via nginx directly * With LocalUploadBackend in development, via Django's static file server This changes that last case to use get_uploaded_file in development, which is a key step towards being able to do proper access control authorization. Does not affect production. 2016-06-09 12:19:56 +02:00			`from django.http import HttpRequest, HttpResponse, HttpResponseForbidden, FileResponse, \`
			`HttpResponseNotFound`
Refactor file upload routes to their own file. 2016-06-07 01:09:05 +02:00			`from django.shortcuts import redirect`
			`from django.utils.translation import ugettext as _`

			`from zerver.lib.request import has_request_variables, REQ`
			`from zerver.lib.response import json_success, json_error`
Serve uploaded files through get_uploaded_file in development. Previously, uploaded files were served: * With S3UploadBackend, via get_uploaded_file (redirects to S3) * With LocalUploadBackend in production, via nginx directly * With LocalUploadBackend in development, via Django's static file server This changes that last case to use get_uploaded_file in development, which is a key step towards being able to do proper access control authorization. Does not affect production. 2016-06-09 12:19:56 +02:00			`from zerver.lib.upload import upload_message_image_from_request, get_local_file_path, \`
upload: Enforce per-realm quota. 2018-01-26 16:13:33 +01:00			`get_signed_upload_url, get_realm_for_filename, check_upload_within_quota`
Refactor file upload routes to their own file. 2016-06-07 01:09:05 +02:00			`from zerver.lib.validator import check_bool`
uploads: Add authorization check before serving files. This is a remerge of e985b57259f86dcdbddb115fc5009e2db04496ff (after resolving merge conflicts, updating the tests, adding mypy annotations etc.), which should now be correct, because we've done the necessary database migration. The rebase/remerge work was done by Tim Abbott and Aditya Bansal. This is an important part of #320. 2016-06-17 19:48:17 +02:00			`from zerver.models import UserProfile, validate_attachment_request`
Refactor file upload routes to their own file. 2016-06-07 01:09:05 +02:00			`from django.conf import settings`
local-uploads: Start running authentication checks on file requests. From here on we start to authenticate uploaded file request before serving this files in production. This involves allowing NGINX to pass on these file requests to Django for authentication and then serve these files by making use on internal redirect requests having x-accel-redirect field. The redirection on requests and loading of x-accel-redirect param is handled by django-sendfile. NOTE: This commit starts to authenticate these requests for Zulip servers running platforms either Ubuntu Xenial (16.04) or above. Fixes: #320 and #291 partially. 2018-02-12 18:18:03 +01:00			`from sendfile import sendfile`
uploads: Make django-sendfile to force downloading attachments. We start to force downloads for the attachment files. We do this for all files except images or pdf's. We would like images or pdf's to open up in browser itself. Tweaked by tabbott for comment clarity and correctness. 2018-03-13 07:08:27 +01:00			`from mimetypes import guess_type`
Refactor file upload routes to their own file. 2016-06-07 01:09:05 +02:00
zerver/views: Use Python 3 syntax for typing. Edited by tabbott to remove state.py and streams.py, because of problems with the original PR's changes, and wrap some long lines. 2017-11-27 09:28:57 +01:00			`def serve_s3(request: HttpRequest, url_path: str) -> HttpResponse:`
uploads: Add authorization check before serving files. This is a remerge of e985b57259f86dcdbddb115fc5009e2db04496ff (after resolving merge conflicts, updating the tests, adding mypy annotations etc.), which should now be correct, because we've done the necessary database migration. The rebase/remerge work was done by Tim Abbott and Aditya Bansal. This is an important part of #320. 2016-06-17 19:48:17 +02:00			`uri = get_signed_upload_url(url_path)`
			`return redirect(uri)`
Refactor zerver.views.upload. 2016-06-08 11:22:06 +02:00
local-uploads: Start running authentication checks on file requests. From here on we start to authenticate uploaded file request before serving this files in production. This involves allowing NGINX to pass on these file requests to Django for authentication and then serve these files by making use on internal redirect requests having x-accel-redirect field. The redirection on requests and loading of x-accel-redirect param is handled by django-sendfile. NOTE: This commit starts to authenticate these requests for Zulip servers running platforms either Ubuntu Xenial (16.04) or above. Fixes: #320 and #291 partially. 2018-02-12 18:18:03 +01:00			`def serve_local(request: HttpRequest, path_id: str) -> HttpResponse:`
Serve uploaded files through get_uploaded_file in development. Previously, uploaded files were served: * With S3UploadBackend, via get_uploaded_file (redirects to S3) * With LocalUploadBackend in production, via nginx directly * With LocalUploadBackend in development, via Django's static file server This changes that last case to use get_uploaded_file in development, which is a key step towards being able to do proper access control authorization. Does not affect production. 2016-06-09 12:19:56 +02:00			`local_path = get_local_file_path(path_id)`
			`if local_path is None:`
			`return HttpResponseNotFound('<p>File not found</p>')`
uploads: Make django-sendfile to force downloading attachments. We start to force downloads for the attachment files. We do this for all files except images or pdf's. We would like images or pdf's to open up in browser itself. Tweaked by tabbott for comment clarity and correctness. 2018-03-13 07:08:27 +01:00
			`# Here we determine whether a browser should treat the file like`
			`# an attachment (and thus clicking a link to it should download)`
			`# or like a link (and thus clicking a link to it should display it`
			`# in a browser tab). This is controlled by the`
			# Content-Disposition header; `django-sendfile` sends the
			`# attachment-style version of that header if and only if the`
			`# attachment argument is passed to it. For attachments,`
			`# django-sendfile sets the response['Content-disposition'] like`
			# this: `attachment; filename="b'zulip.txt'"; filename*=UTF-8''zulip.txt`.
			`#`
			`# The "filename" field (used to name the file when downloaded) is`
			`# unreliable because it doesn't have a well-defined encoding; the`
			`# newer filename* field takes precedence, since it uses a`
			`# consistent format (urlquoted). For more details on filename*`
			`# and filename, see the below docs:`
			`# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition`
			`attachment = True`
			`file_type = guess_type(local_path)[0]`
			`if file_type is not None and (file_type.startswith("image/") or`
			`file_type == "application/pdf"):`
			`attachment = False`

			`return sendfile(request, local_path, attachment=attachment)`
Serve uploaded files through get_uploaded_file in development. Previously, uploaded files were served: * With S3UploadBackend, via get_uploaded_file (redirects to S3) * With LocalUploadBackend in production, via nginx directly * With LocalUploadBackend in development, via Django's static file server This changes that last case to use get_uploaded_file in development, which is a key step towards being able to do proper access control authorization. Does not affect production. 2016-06-09 12:19:56 +02:00
Add support for serving files using API authentication. Also remove 'get_uploaded_file' view function and the corresponding old '/user_upload/' url pattern. 2016-06-27 16:41:58 +02:00			`@has_request_variables`
zerver/views: Use Python 3 syntax for typing. Edited by tabbott to remove state.py and streams.py, because of problems with the original PR's changes, and wrap some long lines. 2017-11-27 09:28:57 +01:00			`def serve_file_backend(request: HttpRequest, user_profile: UserProfile,`
			`realm_id_str: str, filename: str) -> HttpResponse:`
Serve uploaded files through get_uploaded_file in development. Previously, uploaded files were served: * With S3UploadBackend, via get_uploaded_file (redirects to S3) * With LocalUploadBackend in production, via nginx directly * With LocalUploadBackend in development, via Django's static file server This changes that last case to use get_uploaded_file in development, which is a key step towards being able to do proper access control authorization. Does not affect production. 2016-06-09 12:19:56 +02:00			`path_id = "%s/%s" % (realm_id_str, filename)`
uploads: Add authorization check before serving files. This is a remerge of e985b57259f86dcdbddb115fc5009e2db04496ff (after resolving merge conflicts, updating the tests, adding mypy annotations etc.), which should now be correct, because we've done the necessary database migration. The rebase/remerge work was done by Tim Abbott and Aditya Bansal. This is an important part of #320. 2016-06-17 19:48:17 +02:00			`is_authorized = validate_attachment_request(user_profile, path_id)`

			`if is_authorized is None:`
			`return HttpResponseNotFound(_("<p>File not found.</p>"))`
			`if not is_authorized:`
			`return HttpResponseForbidden(_("<p>You are not authorized to view this file.</p>"))`
Refactor zerver.views.upload. 2016-06-08 11:22:06 +02:00			`if settings.LOCAL_UPLOADS_DIR is not None:`
Serve uploaded files through get_uploaded_file in development. Previously, uploaded files were served: * With S3UploadBackend, via get_uploaded_file (redirects to S3) * With LocalUploadBackend in production, via nginx directly * With LocalUploadBackend in development, via Django's static file server This changes that last case to use get_uploaded_file in development, which is a key step towards being able to do proper access control authorization. Does not affect production. 2016-06-09 12:19:56 +02:00			`return serve_local(request, path_id)`
Refactor zerver.views.upload. 2016-06-08 11:22:06 +02:00
uploads: Add authorization check before serving files. This is a remerge of e985b57259f86dcdbddb115fc5009e2db04496ff (after resolving merge conflicts, updating the tests, adding mypy annotations etc.), which should now be correct, because we've done the necessary database migration. The rebase/remerge work was done by Tim Abbott and Aditya Bansal. This is an important part of #320. 2016-06-17 19:48:17 +02:00			`return serve_s3(request, path_id)`
Refactor zerver.views.upload. 2016-06-08 11:22:06 +02:00
zerver/views: Use Python 3 syntax for typing. Edited by tabbott to remove state.py and streams.py, because of problems with the original PR's changes, and wrap some long lines. 2017-11-27 09:28:57 +01:00			`def upload_file_backend(request: HttpRequest, user_profile: UserProfile) -> HttpResponse:`
zerver.views.upload: Move upload functions later in file. 2016-06-27 19:28:09 +02:00			`if len(request.FILES) == 0:`
			`return json_error(_("You must specify a file to upload"))`
			`if len(request.FILES) != 1:`
			`return json_error(_("You may only upload one file at a time"))`

			`user_file = list(request.FILES.values())[0]`
upload: Limit total size of files uploaded by a user to 1GB. Fixes #3884. 2017-03-02 11:17:10 +01:00			`file_size = user_file._get_size()`
			`if settings.MAX_FILE_UPLOAD_SIZE * 1024 * 1024 < file_size:`
translations: Improve some poorly-worded strings. 2017-01-29 00:08:08 +01:00			`return json_error(_("Uploaded file is larger than the allowed limit of %s MB") % (`
			`settings.MAX_FILE_UPLOAD_SIZE))`
upload: Enforce per-realm quota. 2018-01-26 16:13:33 +01:00			`check_upload_within_quota(user_profile.realm, file_size)`
zerver.views.upload: Move upload functions later in file. 2016-06-27 19:28:09 +02:00
Url encoded name of the file should be an ascii. The url encoded name of the file should not be a unicode. This results in an error when we later try to unquote it. Fixes: #1803 2016-09-19 13:31:40 +02:00			`if not isinstance(user_file.name, str):`
			`# It seems that in Python 2 unicode strings containing bytes are`
			`# rendered differently than ascii strings containing same bytes.`
			`#`
			`# Example:`
			`# >>> print('\xd3\x92')`
			`# Ӓ`
			`# >>> print(u'\xd3\x92')`
			`# Ó`
			`#`
			`# This is the cause of the problem as user_file.name variable`
			`# is received as a unicode which is converted into unicode`
			`# strings containing bytes and is rendered incorrectly.`
			`#`
			`# Example:`
Remove six.moves.urllib usage. 2017-11-09 09:10:40 +01:00			`# >>> import urllib.parse`
Url encoded name of the file should be an ascii. The url encoded name of the file should not be a unicode. This results in an error when we later try to unquote it. Fixes: #1803 2016-09-19 13:31:40 +02:00			`# >>> name = u'%D0%97%D0%B4%D1%80%D0%B0%D0%B2%D0%B5%D0%B8%CC%86%D1%82%D0%B5.txt'`
			`# >>> print(urllib.parse.unquote(name))`
			`# ÐÐ´ÑÐ°Ð²ÐµÐ¸ÌÑÐµ # This is wrong`
			`#`
			`# >>> name = '%D0%97%D0%B4%D1%80%D0%B0%D0%B2%D0%B5%D0%B8%CC%86%D1%82%D0%B5.txt'`
			`# >>> print(urllib.parse.unquote(name))`
			`# Здравейте.txt # This is correct`
			`user_file.name = user_file.name.encode('ascii')`

zerver.views.upload: Move upload functions later in file. 2016-06-27 19:28:09 +02:00			`uri = upload_message_image_from_request(request, user_file, user_profile)`
			`return json_success({'uri': uri})`