using mime type checking during upload

src/documents/forms.py

@@ -3,22 +3,35 @@ import tempfile
 from datetime import datetime
 from time import mktime
 
+import magic
 from django import forms
 from django.conf import settings
 from django_q.tasks import async_task
 from pathvalidate import validate_filename, ValidationError
 
+from documents.parsers import is_mime_type_supported
+
 
 class UploadForm(forms.Form):
 
     document = forms.FileField()
 
     def clean_document(self):
+        document_name = self.cleaned_data.get("document").name
+
         try:
-            validate_filename(self.cleaned_data.get("document").name)
+            validate_filename(document_name)
         except ValidationError:
             raise forms.ValidationError("That filename is suspicious.")
-        return self.cleaned_data.get("document")
+
+        document_data = self.cleaned_data.get("document").read()
+
+        mime_type = magic.from_buffer(document_data, mime=True)
+
+        if not is_mime_type_supported(mime_type):
+            raise forms.ValidationError("This mime type is not supported.")
+
+        return document_name, document_data
 
     def save(self):
         """
@@ -27,8 +40,7 @@ class UploadForm(forms.Form):
         form do that as well.  Think of it as a poor-man's queue server.
         """
 
-        document = self.cleaned_data.get("document").read()
+        original_filename, data = self.cleaned_data.get("document")
-        original_filename = self.cleaned_data.get("document").name
 
         t = int(mktime(datetime.now().timetuple()))
 
@@ -36,7 +48,7 @@ class UploadForm(forms.Form):
 
         with tempfile.NamedTemporaryFile(prefix="paperless-upload-", dir=settings.SCRATCH_DIR, delete=False) as f:
 
-            f.write(document)
+            f.write(data)
             os.utime(f.name, times=(t, t))
 
             async_task("documents.tasks.consume_file", f.name, override_filename=original_filename, task_name=os.path.basename(original_filename))