zulip/zerver/views/upload.py

from mimetypes import guess_type

from django.conf import settings
from django.http import HttpRequest, HttpResponse, HttpResponseForbidden, HttpResponseNotFound
from django.shortcuts import redirect
from django.utils.cache import patch_cache_control
from django.utils.translation import ugettext as _
from django_sendfile import sendfile

from zerver.lib.response import json_error, json_success
from zerver.lib.upload import (
    INLINE_MIME_TYPES,
    check_upload_within_quota,
    generate_unauthed_file_access_url,
    get_local_file_path,
    get_local_file_path_id_from_token,
    get_signed_upload_url,
    upload_message_image_from_request,
)
from zerver.models import UserProfile, validate_attachment_request


def serve_s3(request: HttpRequest, url_path: str, url_only: bool) -> HttpResponse:
    url = get_signed_upload_url(url_path)
    if url_only:
        return json_success(dict(url=url))

    return redirect(url)

def serve_local(request: HttpRequest, path_id: str, url_only: bool) -> HttpResponse:
    local_path = get_local_file_path(path_id)
    if local_path is None:
        return HttpResponseNotFound('<p>File not found</p>')

    if url_only:
        url = generate_unauthed_file_access_url(path_id)
        return json_success(dict(url=url))

    # Here we determine whether a browser should treat the file like
    # an attachment (and thus clicking a link to it should download)
    # or like a link (and thus clicking a link to it should display it
    # in a browser tab).  This is controlled by the
    # Content-Disposition header; `django-sendfile2` sends the
    # attachment-style version of that header if and only if the
    # attachment argument is passed to it.  For attachments,
    # django-sendfile2 sets the response['Content-disposition'] like
    # this: `attachment; filename="zulip.txt"; filename*=UTF-8''zulip.txt`.
    # The filename* parameter is omitted for ASCII filenames like this one.
    #
    # The "filename" field (used to name the file when downloaded) is
    # unreliable because it doesn't have a well-defined encoding; the
    # newer filename* field takes precedence, since it uses a
    # consistent format (urlquoted).  For more details on filename*
    # and filename, see the below docs:
    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition
    mimetype, encoding = guess_type(local_path)
    attachment = mimetype not in INLINE_MIME_TYPES

    response = sendfile(request, local_path, attachment=attachment,
                        mimetype=mimetype, encoding=encoding)
    patch_cache_control(response, private=True, immutable=True)
    return response

def serve_file_backend(request: HttpRequest, user_profile: UserProfile,
                       realm_id_str: str, filename: str) -> HttpResponse:
    return serve_file(request, user_profile, realm_id_str, filename, url_only=False)

def serve_file_url_backend(request: HttpRequest, user_profile: UserProfile,
                           realm_id_str: str, filename: str) -> HttpResponse:
    """
    We should return a signed, short-lived URL
    that the client can use for native mobile download, rather than serving a redirect.
    """

    return serve_file(request, user_profile, realm_id_str, filename, url_only=True)

def serve_file(request: HttpRequest, user_profile: UserProfile,
               realm_id_str: str, filename: str,
               url_only: bool=False) -> HttpResponse:
    path_id = f"{realm_id_str}/{filename}"
    is_authorized = validate_attachment_request(user_profile, path_id)

    if is_authorized is None:
        return HttpResponseNotFound(_("<p>File not found.</p>"))
    if not is_authorized:
        return HttpResponseForbidden(_("<p>You are not authorized to view this file.</p>"))
    if settings.LOCAL_UPLOADS_DIR is not None:
        return serve_local(request, path_id, url_only)

    return serve_s3(request, path_id, url_only)

def serve_local_file_unauthed(request: HttpRequest, token: str, filename: str) -> HttpResponse:
    path_id = get_local_file_path_id_from_token(token)
    if path_id is None:
        return json_error(_("Invalid token"))
    if path_id.split('/')[-1] != filename:
        return json_error(_("Invalid filename"))

    return serve_local(request, path_id, url_only=False)

def upload_file_backend(request: HttpRequest, user_profile: UserProfile) -> HttpResponse:
    if len(request.FILES) == 0:
        return json_error(_("You must specify a file to upload"))
    if len(request.FILES) != 1:
        return json_error(_("You may only upload one file at a time"))

    user_file = list(request.FILES.values())[0]
    file_size = user_file.size
    if settings.MAX_FILE_UPLOAD_SIZE * 1024 * 1024 < file_size:
        return json_error(_("Uploaded file is larger than the allowed limit of {} MiB").format(
            settings.MAX_FILE_UPLOAD_SIZE,
        ))
    check_upload_within_quota(user_profile.realm, file_size)

    uri = upload_message_image_from_request(request, user_file, user_profile)
    return json_success({'uri': uri})
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-11 00:54:34 +02:00			`from mimetypes import guess_type`

			`from django.conf import settings`
			`from django.http import HttpRequest, HttpResponse, HttpResponseForbidden, HttpResponseNotFound`
Refactor file upload routes to their own file. 2016-06-07 01:09:05 +02:00			`from django.shortcuts import redirect`
upload: Fix browser caching of uploads with local uploads backend. Apparently, our change in b8a1050fc4135b2d2921052c3f1ef55b53dbb028 to stop caching responses on API endpoints accidentally ended up affecting uploaded files as well. Fix this by explicitly setting a Cache-Control header in our Sendfile responses, as well as changing our outer API caching code to only set the never cache headers if the view function didn't explicitly specify them itself. This is not directly related to #13088, as that is a similar issue with the S3 backend. Thanks to Gert Burger for the report. 2019-10-02 00:10:30 +02:00			`from django.utils.cache import patch_cache_control`
Refactor file upload routes to their own file. 2016-06-07 01:09:05 +02:00			`from django.utils.translation import ugettext as _`
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-11 00:54:34 +02:00			`from django_sendfile import sendfile`
Refactor file upload routes to their own file. 2016-06-07 01:09:05 +02:00
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-11 00:54:34 +02:00			`from zerver.lib.response import json_error, json_success`
			`from zerver.lib.upload import (`
			`INLINE_MIME_TYPES,`
			`check_upload_within_quota,`
			`generate_unauthed_file_access_url,`
			`get_local_file_path,`
			`get_local_file_path_id_from_token,`
			`get_signed_upload_url,`
			`upload_message_image_from_request,`
			`)`
uploads: Add authorization check before serving files. This is a remerge of e985b57259f86dcdbddb115fc5009e2db04496ff (after resolving merge conflicts, updating the tests, adding mypy annotations etc.), which should now be correct, because we've done the necessary database migration. The rebase/remerge work was done by Tim Abbott and Aditya Bansal. This is an important part of #320. 2016-06-17 19:48:17 +02:00			`from zerver.models import UserProfile, validate_attachment_request`
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-11 00:54:34 +02:00
Refactor file upload routes to their own file. 2016-06-07 01:09:05 +02:00
upload: Support requesting a temporary unauthenticated URL. This is be useful for the mobile and desktop apps to hand an uploaded file off to the system browser so that it can render PDFs (Etc.). The S3 backend implementation is simple; for the local upload backend, we use Django's signing feature to simulate the same sort of 60-second lifetime token. Co-Author-By: Mateusz Mandera <mateusz.mandera@protonmail.com> 2020-04-08 00:27:24 +02:00			`def serve_s3(request: HttpRequest, url_path: str, url_only: bool) -> HttpResponse:`
			`url = get_signed_upload_url(url_path)`
			`if url_only:`
			`return json_success(dict(url=url))`
Refactor zerver.views.upload. 2016-06-08 11:22:06 +02:00
upload: Support requesting a temporary unauthenticated URL. This is be useful for the mobile and desktop apps to hand an uploaded file off to the system browser so that it can render PDFs (Etc.). The S3 backend implementation is simple; for the local upload backend, we use Django's signing feature to simulate the same sort of 60-second lifetime token. Co-Author-By: Mateusz Mandera <mateusz.mandera@protonmail.com> 2020-04-08 00:27:24 +02:00			`return redirect(url)`

			`def serve_local(request: HttpRequest, path_id: str, url_only: bool) -> HttpResponse:`
Serve uploaded files through get_uploaded_file in development. Previously, uploaded files were served: * With S3UploadBackend, via get_uploaded_file (redirects to S3) * With LocalUploadBackend in production, via nginx directly * With LocalUploadBackend in development, via Django's static file server This changes that last case to use get_uploaded_file in development, which is a key step towards being able to do proper access control authorization. Does not affect production. 2016-06-09 12:19:56 +02:00			`local_path = get_local_file_path(path_id)`
			`if local_path is None:`
			`return HttpResponseNotFound('<p>File not found</p>')`
uploads: Make django-sendfile to force downloading attachments. We start to force downloads for the attachment files. We do this for all files except images or pdf's. We would like images or pdf's to open up in browser itself. Tweaked by tabbott for comment clarity and correctness. 2018-03-13 07:08:27 +01:00
upload: Support requesting a temporary unauthenticated URL. This is be useful for the mobile and desktop apps to hand an uploaded file off to the system browser so that it can render PDFs (Etc.). The S3 backend implementation is simple; for the local upload backend, we use Django's signing feature to simulate the same sort of 60-second lifetime token. Co-Author-By: Mateusz Mandera <mateusz.mandera@protonmail.com> 2020-04-08 00:27:24 +02:00			`if url_only:`
			`url = generate_unauthed_file_access_url(path_id)`
			`return json_success(dict(url=url))`

uploads: Make django-sendfile to force downloading attachments. We start to force downloads for the attachment files. We do this for all files except images or pdf's. We would like images or pdf's to open up in browser itself. Tweaked by tabbott for comment clarity and correctness. 2018-03-13 07:08:27 +01:00			`# Here we determine whether a browser should treat the file like`
			`# an attachment (and thus clicking a link to it should download)`
			`# or like a link (and thus clicking a link to it should display it`
			`# in a browser tab). This is controlled by the`
requirements: Use maintained fork django-sendfile2 of django-sendfile The original seems to be unmaintained (johnsensible/django-sendfile#65). Notably, this fixes a bug in the filename parameter, which perviously showed the Python 3 repr of a byte string (johnsensible/django-sendfile#49). Signed-off-by: Anders Kaseorg <anders@zulipchat.com> 2019-08-12 01:52:09 +02:00			# Content-Disposition header; `django-sendfile2` sends the
uploads: Make django-sendfile to force downloading attachments. We start to force downloads for the attachment files. We do this for all files except images or pdf's. We would like images or pdf's to open up in browser itself. Tweaked by tabbott for comment clarity and correctness. 2018-03-13 07:08:27 +01:00			`# attachment-style version of that header if and only if the`
			`# attachment argument is passed to it. For attachments,`
requirements: Use maintained fork django-sendfile2 of django-sendfile The original seems to be unmaintained (johnsensible/django-sendfile#65). Notably, this fixes a bug in the filename parameter, which perviously showed the Python 3 repr of a byte string (johnsensible/django-sendfile#49). Signed-off-by: Anders Kaseorg <anders@zulipchat.com> 2019-08-12 01:52:09 +02:00			`# django-sendfile2 sets the response['Content-disposition'] like`
			# this: `attachment; filename="zulip.txt"; filename*=UTF-8''zulip.txt`.
			`# The filename* parameter is omitted for ASCII filenames like this one.`
uploads: Make django-sendfile to force downloading attachments. We start to force downloads for the attachment files. We do this for all files except images or pdf's. We would like images or pdf's to open up in browser itself. Tweaked by tabbott for comment clarity and correctness. 2018-03-13 07:08:27 +01:00			`#`
			`# The "filename" field (used to name the file when downloaded) is`
			`# unreliable because it doesn't have a well-defined encoding; the`
			`# newer filename* field takes precedence, since it uses a`
			`# consistent format (urlquoted). For more details on filename*`
			`# and filename, see the below docs:`
			`# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition`
CVE-2019-16216: Fix MIME type validation. * Whitelist a small number of image/ types to be served as non-attachments. * Serve the file using the type that we validated rather than relying on an independent guess to match. This issue can lead to a stored XSS security vulnerability for older browsers that don't support Content-Security-Policy. It primarily affects servers using Zulip's local file uploads backend for servers running Ubuntu 16.04 Xenial or newer; the legacy local file upload backend for (now EOL) Ubuntu 14.04 Trusty was not affected and it has limited impact for the S3 upload backend (which uses an unprivileged S3 bucket domain to serve files). Signed-off-by: Anders Kaseorg <anders@zulipchat.com> 2019-09-10 00:21:31 +02:00			`mimetype, encoding = guess_type(local_path)`
			`attachment = mimetype not in INLINE_MIME_TYPES`
uploads: Make django-sendfile to force downloading attachments. We start to force downloads for the attachment files. We do this for all files except images or pdf's. We would like images or pdf's to open up in browser itself. Tweaked by tabbott for comment clarity and correctness. 2018-03-13 07:08:27 +01:00
upload: Fix browser caching of uploads with local uploads backend. Apparently, our change in b8a1050fc4135b2d2921052c3f1ef55b53dbb028 to stop caching responses on API endpoints accidentally ended up affecting uploaded files as well. Fix this by explicitly setting a Cache-Control header in our Sendfile responses, as well as changing our outer API caching code to only set the never cache headers if the view function didn't explicitly specify them itself. This is not directly related to #13088, as that is a similar issue with the S3 backend. Thanks to Gert Burger for the report. 2019-10-02 00:10:30 +02:00			`response = sendfile(request, local_path, attachment=attachment,`
			`mimetype=mimetype, encoding=encoding)`
			`patch_cache_control(response, private=True, immutable=True)`
			`return response`
Serve uploaded files through get_uploaded_file in development. Previously, uploaded files were served: * With S3UploadBackend, via get_uploaded_file (redirects to S3) * With LocalUploadBackend in production, via nginx directly * With LocalUploadBackend in development, via Django's static file server This changes that last case to use get_uploaded_file in development, which is a key step towards being able to do proper access control authorization. Does not affect production. 2016-06-09 12:19:56 +02:00
zerver/views: Use Python 3 syntax for typing. Edited by tabbott to remove state.py and streams.py, because of problems with the original PR's changes, and wrap some long lines. 2017-11-27 09:28:57 +01:00			`def serve_file_backend(request: HttpRequest, user_profile: UserProfile,`
			`realm_id_str: str, filename: str) -> HttpResponse:`
upload: Support requesting a temporary unauthenticated URL. This is be useful for the mobile and desktop apps to hand an uploaded file off to the system browser so that it can render PDFs (Etc.). The S3 backend implementation is simple; for the local upload backend, we use Django's signing feature to simulate the same sort of 60-second lifetime token. Co-Author-By: Mateusz Mandera <mateusz.mandera@protonmail.com> 2020-04-08 00:27:24 +02:00			`return serve_file(request, user_profile, realm_id_str, filename, url_only=False)`

			`def serve_file_url_backend(request: HttpRequest, user_profile: UserProfile,`
			`realm_id_str: str, filename: str) -> HttpResponse:`
			`"""`
			`We should return a signed, short-lived URL`
			`that the client can use for native mobile download, rather than serving a redirect.`
			`"""`

			`return serve_file(request, user_profile, realm_id_str, filename, url_only=True)`

			`def serve_file(request: HttpRequest, user_profile: UserProfile,`
			`realm_id_str: str, filename: str,`
			`url_only: bool=False) -> HttpResponse:`
python: Convert percent formatting to Python 3.6 f-strings. Generated by pyupgrade --py36-plus. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-10 06:41:04 +02:00			`path_id = f"{realm_id_str}/{filename}"`
uploads: Add authorization check before serving files. This is a remerge of e985b57259f86dcdbddb115fc5009e2db04496ff (after resolving merge conflicts, updating the tests, adding mypy annotations etc.), which should now be correct, because we've done the necessary database migration. The rebase/remerge work was done by Tim Abbott and Aditya Bansal. This is an important part of #320. 2016-06-17 19:48:17 +02:00			`is_authorized = validate_attachment_request(user_profile, path_id)`

			`if is_authorized is None:`
			`return HttpResponseNotFound(_("<p>File not found.</p>"))`
			`if not is_authorized:`
			`return HttpResponseForbidden(_("<p>You are not authorized to view this file.</p>"))`
Refactor zerver.views.upload. 2016-06-08 11:22:06 +02:00			`if settings.LOCAL_UPLOADS_DIR is not None:`
upload: Support requesting a temporary unauthenticated URL. This is be useful for the mobile and desktop apps to hand an uploaded file off to the system browser so that it can render PDFs (Etc.). The S3 backend implementation is simple; for the local upload backend, we use Django's signing feature to simulate the same sort of 60-second lifetime token. Co-Author-By: Mateusz Mandera <mateusz.mandera@protonmail.com> 2020-04-08 00:27:24 +02:00			`return serve_local(request, path_id, url_only)`

			`return serve_s3(request, path_id, url_only)`

upload: Include filename at the end of temporary access URLs. 2020-04-18 16:11:13 +02:00			`def serve_local_file_unauthed(request: HttpRequest, token: str, filename: str) -> HttpResponse:`
upload: Support requesting a temporary unauthenticated URL. This is be useful for the mobile and desktop apps to hand an uploaded file off to the system browser so that it can render PDFs (Etc.). The S3 backend implementation is simple; for the local upload backend, we use Django's signing feature to simulate the same sort of 60-second lifetime token. Co-Author-By: Mateusz Mandera <mateusz.mandera@protonmail.com> 2020-04-08 00:27:24 +02:00			`path_id = get_local_file_path_id_from_token(token)`
			`if path_id is None:`
			`return json_error(_("Invalid token"))`
upload: Include filename at the end of temporary access URLs. 2020-04-18 16:11:13 +02:00			`if path_id.split('/')[-1] != filename:`
			`return json_error(_("Invalid filename"))`
Refactor zerver.views.upload. 2016-06-08 11:22:06 +02:00
upload: Support requesting a temporary unauthenticated URL. This is be useful for the mobile and desktop apps to hand an uploaded file off to the system browser so that it can render PDFs (Etc.). The S3 backend implementation is simple; for the local upload backend, we use Django's signing feature to simulate the same sort of 60-second lifetime token. Co-Author-By: Mateusz Mandera <mateusz.mandera@protonmail.com> 2020-04-08 00:27:24 +02:00			`return serve_local(request, path_id, url_only=False)`
Refactor zerver.views.upload. 2016-06-08 11:22:06 +02:00
zerver/views: Use Python 3 syntax for typing. Edited by tabbott to remove state.py and streams.py, because of problems with the original PR's changes, and wrap some long lines. 2017-11-27 09:28:57 +01:00			`def upload_file_backend(request: HttpRequest, user_profile: UserProfile) -> HttpResponse:`
zerver.views.upload: Move upload functions later in file. 2016-06-27 19:28:09 +02:00			`if len(request.FILES) == 0:`
			`return json_error(_("You must specify a file to upload"))`
			`if len(request.FILES) != 1:`
			`return json_error(_("You may only upload one file at a time"))`

			`user_file = list(request.FILES.values())[0]`
dependencies: Upgrade to Django 2.2.10. Django 2.2.x is the next LTS release after Django 1.11.x; I expect we'll be on it for a while, as Django 3.x won't have an LTS release series out for a while. Because of upstream API changes in Django, this commit includes several changes beyond requirements and: * urls: django.urls.resolvers.RegexURLPattern has been replaced by django.urls.resolvers.URLPattern; affects OpenAPI code and related features which re-parse Django's internals. https://code.djangoproject.com/ticket/28593 * test_runner: Change number to suffix. Django changed the name in this ticket: https://code.djangoproject.com/ticket/28578 * Delete now-unnecessary SameSite cookie code (it's now the default). * forms: urlsafe_base64_encode returns string in Django 2.2. https://docs.djangoproject.com/en/2.2/ref/utils/#django.utils.http.urlsafe_base64_encode * upload: Django's File.size property replaces _get_size(). https://docs.djangoproject.com/en/2.2/_modules/django/core/files/base/ * process_queue: Migrate to new autoreload API. * test_messages: Add an extra query caused by .refresh_from_db() losing the .select_related() on the Realm object. * session: Sync SessionHostDomainMiddleware with Django 2.2. There's a lot more we can do to take advantage of the new release; this is tracked in #11341. Many changes by Tim Abbott, Umair Waheed, and Mateusz Mandera squashed are squashed into this commit. Fixes #10835. 2018-02-02 05:43:18 +01:00			`file_size = user_file.size`
upload: Limit total size of files uploaded by a user to 1GB. Fixes #3884. 2017-03-02 11:17:10 +01:00			`if settings.MAX_FILE_UPLOAD_SIZE * 1024 * 1024 < file_size:`
python: Convert percent formatting to .format for translated strings. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-15 23:22:24 +02:00			`return json_error(_("Uploaded file is larger than the allowed limit of {} MiB").format(`
			`settings.MAX_FILE_UPLOAD_SIZE,`
			`))`
upload: Enforce per-realm quota. 2018-01-26 16:13:33 +01:00			`check_upload_within_quota(user_profile.realm, file_size)`
zerver.views.upload: Move upload functions later in file. 2016-06-27 19:28:09 +02:00
			`uri = upload_message_image_from_request(request, user_file, user_profile)`
			`return json_success({'uri': uri})`