File Access Control Expression

NGT · September 26, 2016, 3:41pm

Greetings,

I am trying to block .eml files from being uploaded. I feel like I am really close with the expression, but just off enough that it is not working.

Search shows .eml files have the following mime type: message/rfc822

I have tried this expression with no luck: /^message/(rfc822)$/I

Any help would be great!

Thank you for your time.

Mark

anon99252149 · September 26, 2016, 4:45pm

message/rfc822

https://docs.nextcloud.com/server/10/admin_manual/configuration_files/files_access_control.html#prevent-uploading-of-specific-files

NGT · September 29, 2016, 6:46pm

We have tried this expression and it still does allows eml files from users to be uploaded.

Any other ideas?

Thank you for your help.

Mark

anon99252149 · September 29, 2016, 8:59pm

Sorry, I was wrong! RegExp is for multiple MIME types. Please use the appropriate MIME type with the is operator.

File mime type (upload) | is | message/rfc822

But in the new NC release 9.1.1.5 is a bug with File Access Control with FileSystemTags (/apps/workflowengine/lib/Check/FileSystemTags.php), imho. My old rules have blown the log file.

I will investigate it tomorrow.

NGT · September 29, 2016, 11:20pm

Thank you for all of your help.

Unfortunately this still did not work for us. We are running 10 or in the logs it says: version’ => '9.1.0.16

Again thank you for your help.

Mark

NGT · October 11, 2016, 4:06pm

Any progress with this? This is something that would really help us if we could get it working.

I appreciate all your help with this.

Thank you.

nickvergessen · October 12, 2016, 7:05am

I just tested this and it works quite fine here.

You can try adding the following debug code:

if (substr($this->path, -4) === '.eml') {
   \OC::$server->getLogger()->error('Mimetype of "{file}" is "{mime}"', [
      'app' => 'files_accesscontrol',
      'file' => $this->path,
      'mime' => $mimeType,
   ]);
}

Before the following line:

github.com

nextcloud/server/blob/v10.0.1/apps/workflowengine/lib/Check/FileMimeType.php#L105


					if ($mimeTypeTest !== 'application/octet-stream' && $mimeTypeTest !== false) {
						$mimeType = $mimeTypeTest;
					} else {
						$mimeTypeTest = $this->mimeTypeDetector->detect($files['tmp_name'][0]);
						if ($mimeTypeTest !== 'application/octet-stream' && $mimeTypeTest !== false) {
							$mimeType = $mimeTypeTest;
						}
					}
				}
				$this->mimeType[$this->storage->getId()][$this->path] = $mimeType;
				return $mimeType;
			}
		}


		$this->mimeType[$this->storage->getId()][$this->path] = $this->storage->getMimeType($this->path);
		if ($this->mimeType[$this->storage->getId()][$this->path] === 'application/octet-stream') {
			$this->mimeType[$this->storage->getId()][$this->path] = $this->detectMimetypeFromPath();
		}


		return $this->mimeType[$this->storage->getId()][$this->path];
	}

And upload the problematic file manually through the web UI. Then it will log the mimetype of your file, so you can see if it actually uses a different mimetype

NGT · October 12, 2016, 4:15pm

The GitHub code was way different then what was in our install.

<?php

/**

@license GNU AGPL version 3 or any later version
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see http://www.gnu.org/licenses/.

*/

namespace OCA\WorkflowEngine\Check;

use OCP\Files\IMimeTypeDetector;
use OCP\IL10N;
use OCP\IRequest;

class FileMimeType extends AbstractStringCheck {

/** @var string */
protected $mimeType;

/** @var IRequest */
protected $request;

/** @var IMimeTypeDetector */
protected $mimeTypeDetector;

/**
 * @param IL10N $l
 * @param IRequest $request
 * @param IMimeTypeDetector $mimeTypeDetector
 */
public function __construct(IL10N $l, IRequest $request, IMimeTypeDetector $mimeTypeDetector) {
	parent::__construct($l);
	$this->request = $request;
	$this->mimeTypeDetector = $mimeTypeDetector;
}

/**
 * @return string
 */
protected function getActualValue() {
	if ($this->mimeType !== null) {
		return $this->mimeType;
	}

	$this->mimeType = '';
	if ($this->isWebDAVRequest()) {
		if ($this->request->getMethod() === 'PUT') {
			$path = $this->request->getPathInfo();
			$this->mimeType = $this->mimeTypeDetector->detectPath($path);
		}
	} else if (in_array($this->request->getMethod(), ['POST', 'PUT'])) {
		$files = $this->request->getUploadedFile('files');
		if (isset($files['type'][0])) {
			$this->mimeType = $files['type'][0];
		}
	}
	return $this->mimeType;
}

/**
 * @return bool
 */
protected function isWebDAVRequest() {
	return substr($this->request->getScriptName(), 0 - strlen('/remote.php')) === '/remote.php' && (
		$this->request->getPathInfo() === '/webdav' ||
		strpos($this->request->getPathInfo(), '/webdav/') === 0 ||
		$this->request->getPathInfo() === '/dav/files' ||
		strpos($this->request->getPathInfo(), '/dav/files/') === 0
	);
}

}

I changed the code to GitHub and things seem to be working like we expected it to.

Thank you for your help with this. I really appreciate it