Added extension whitelist for opening files (#692)

IB-6264 Co-authored-by: Hans Niinemäe <[email protected]>
open-eid · Apr 21, 2020 · 61f6c68 · 61f6c68
1 parent 6dd5077
commit 61f6c68
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 12 deletions.
diff --git a/client/DocumentModel.cpp b/client/DocumentModel.cpp
@@ -23,6 +23,10 @@
 #include "dialogs/FileDialog.h"
 #include "dialogs/WarningDialog.h"
 
+#include <common/Configuration.h>
+
+#include <QtCore/QJsonObject>
+#include <QtCore/QJsonArray>
 #include <QtCore/QFileInfo>
 #include <QtCore/QProcessEnvironment>
 
@@ -56,18 +60,26 @@ QStringList DocumentModel::tempFiles() const
 
 bool DocumentModel::verifyFile(const QString &f)
 {
-#if defined(Q_OS_WIN)
-	QStringList exts = QProcessEnvironment::systemEnvironment().value("PATHEXT").split(';');
-	exts.append({".PIF", ".SCR", ".LNK"});
-	WarningDialog dlg(tr("This is an executable file! "
-		"Executable files may contain viruses or other malicious code that could harm your computer. "
-		"Are you sure you want to launch this file?"), qApp->activeWindow());
-	dlg.setCancelText(tr("NO"));
-	dlg.addButton(tr("YES"), 1);
-	if(exts.contains("." + QFileInfo(f).suffix(), Qt::CaseInsensitive) && dlg.exec() != 1)
+	QJsonObject obj;
+	#ifdef CONFIG_URL
+		obj = Configuration::instance().object();
+	#endif
+
+	static const QJsonArray defaultArray = {
+			QStringLiteral("ddoc"), QStringLiteral("bdoc") ,QStringLiteral("edoc"), QStringLiteral("adoc"), QStringLiteral("asice"), QStringLiteral("cdoc"), QStringLiteral("asics"),
+			QStringLiteral("txt"), QStringLiteral("doc"), QStringLiteral("docx"), QStringLiteral("odt"), QStringLiteral("ods"), QStringLiteral("tex"), QStringLiteral("wks"), QStringLiteral("wps"),
+			QStringLiteral("wpd"), QStringLiteral("rtf"), QStringLiteral("xlr"), QStringLiteral("xls"), QStringLiteral("xlsx"), QStringLiteral("pdf"), QStringLiteral("key"), QStringLiteral("odp"),
+			QStringLiteral("pps"), QStringLiteral("ppt"), QStringLiteral("pptx"), QStringLiteral("png"), QStringLiteral("jpg"), QStringLiteral("jpeg"), QStringLiteral("bmp"), QStringLiteral("ai"),
+			QStringLiteral("gif"), QStringLiteral("ico"), QStringLiteral("ps"), QStringLiteral("psd"), QStringLiteral("tif"), QStringLiteral("tiff")};
+
+	QJsonArray allowedExts = obj.value(QLatin1String("ALLOWED-EXTENSIONS")).toArray(defaultArray);
+
+	if(!allowedExts.contains(QJsonValue(QFileInfo(f).suffix().toLower()))){
+		WarningDialog dlg(tr("A file with this extension cannot be opened in the DigiDoc4 Client. Download the file to view it."), qApp->activeWindow());
+		dlg.setCancelText(tr("OK"));
+		dlg.exec();
 		return false;
-#else
-	Q_UNUSED(f)
-#endif
+	}
+
 	return true;
 }
diff --git a/client/translations/en.ts b/client/translations/en.ts
@@ -846,6 +846,10 @@
         <source>This is an executable file! Executable files may contain viruses or other malicious code that could harm your computer. Are you sure you want to launch this file?</source>
         <translation>This is an executable file! Executable files may contain viruses or other malicious code that could harm your computer. Are you sure you want to launch this file?</translation>
     </message>
+    <message>
+        <source>A file with this extension cannot be opened in the DigiDoc4 Client. Download the file to view it.</source>
+        <translation>A file with this extension cannot be opened in the DigiDoc4 Client. Download the file to view it.</translation>
+    </message>
     <message>
         <source>Cannot add the file to the envelope. File &apos;%1&apos; is already in container.</source>
         <translation>Cannot add the file to the envelope. File &apos;%1&apos; is already in container.</translation>
@@ -866,6 +870,10 @@
         <source>YES</source>
         <translation>YES</translation>
     </message>
+    <message>
+        <source>OK</source>
+        <translation>OK</translation>
+    </message>
 </context>
 <context>
     <name>FileDialog</name>

diff --git a/client/translations/et.ts b/client/translations/et.ts
@@ -846,6 +846,10 @@
         <source>This is an executable file! Executable files may contain viruses or other malicious code that could harm your computer. Are you sure you want to launch this file?</source>
         <translation>See on käivitatav fail! Käivitatavad failid võivad sisaldada viirusi või muud pahatahtlikku koodi, mis võib kahjustada Sinu arvutit. Kas oled kindel, et tahad seda faili käivitada?</translation>
     </message>
+    <message>
+        <source>A file with this extension cannot be opened in the DigiDoc4 Client. Download the file to view it.</source>
+        <translation>Sellise laiendiga faili ei ole võimalik avada DigiDoc4 kliendis. Faili vaatamiseks laadi see alla.</translation>
+    </message>
     <message>
         <source>Cannot add the file to the envelope. File &apos;%1&apos; is already in container.</source>
         <translation>Faili lisamine ümbrikusse ebaõnnestus. Lisatud &apos;%1&apos; on juba ümbrikus olemas.</translation>
@@ -866,6 +870,10 @@
         <source>YES</source>
         <translation>JAH</translation>
     </message>
+    <message>
+        <source>OK</source>
+        <translation>OK</translation>
+    </message>
 </context>
 <context>
     <name>FileDialog</name>

diff --git a/client/translations/ru.ts b/client/translations/ru.ts
@@ -848,6 +848,10 @@
         <source>This is an executable file! Executable files may contain viruses or other malicious code that could harm your computer. Are you sure you want to launch this file?</source>
         <translation>Это выполняемый файл! Выполняемый файл может содержать вирусы или другой вредоносный код которые могут повредить ваш компьютер. Вы уверены что хотите запустить?</translation>
     </message>
+    <message>
+        <source>A file with this extension cannot be opened in the DigiDoc4 Client. Download the file to view it.</source>
+        <translation>Файл с таким расширением не может быть открыт в клиенте DigiDoc4. Загрузите файл, чтобы просмотреть его.</translation>
+    </message>
     <message>
         <source>Cannot add the file to the envelope. File &apos;%1&apos; is already in container.</source>
         <translation>Невозможно добавить файл в контейнер. Файл &apos;%1&apos; уже в контейнере.</translation>
@@ -868,6 +872,10 @@
         <source>YES</source>
         <translation>ДА</translation>
     </message>
+    <message>
+        <source>OK</source>
+        <translation>OK</translation>
+    </message>
 </context>
 <context>
     <name>FileDialog</name>