From 47241536375b8ce5c143b5455280dc569fe009b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gina=20H=C3=A4u=C3=9Fge?= <osd@foosel.net>
Date: Mon, 17 Oct 2016 11:33:23 +0200
Subject: [PATCH] Restrict upload dialogs for plugins and language packs to
 supported extensions

---
 src/octoprint/plugins/pluginmanager/__init__.py            | 7 +++++--
 .../pluginmanager/templates/pluginmanager_settings.jinja2  | 2 +-
 src/octoprint/templates/dialogs/settings/appearance.jinja2 | 2 +-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/octoprint/plugins/pluginmanager/__init__.py b/src/octoprint/plugins/pluginmanager/__init__.py
index 914d0a03..e1f36c99 100644
--- a/src/octoprint/plugins/pluginmanager/__init__.py
+++ b/src/octoprint/plugins/pluginmanager/__init__.py
@@ -32,6 +32,8 @@ class PluginManagerPlugin(octoprint.plugin.SimpleApiPlugin,
                           octoprint.plugin.StartupPlugin,
                           octoprint.plugin.BlueprintPlugin):
 
+	ARCHIVE_EXTENSIONS = (".zip", ".tar.gz", ".tgz", ".tar")
+
 	def __init__(self):
 		self._pending_enable = set()
 		self._pending_disable = set()
@@ -116,7 +118,8 @@ class PluginManagerPlugin(octoprint.plugin.SimpleApiPlugin,
 		plugins = sorted(self._get_plugins(), key=lambda x: x["name"].lower())
 		return dict(
 			all=plugins,
-			thirdparty=filter(lambda p: not p["bundled"], plugins)
+			thirdparty=filter(lambda p: not p["bundled"], plugins),
+			archive_extensions=self.__class__.ARCHIVE_EXTENSIONS
 		)
 
 	def get_template_types(self, template_sorting, template_rules, *args, **kwargs):
@@ -141,7 +144,7 @@ class PluginManagerPlugin(octoprint.plugin.SimpleApiPlugin,
 		upload_path = flask.request.values[input_upload_path]
 		upload_name = flask.request.values[input_upload_name]
 
-		exts = filter(lambda x: upload_name.lower().endswith(x), (".zip", ".tar.gz", ".tgz", ".tar"))
+		exts = filter(lambda x: upload_name.lower().endswith(x), self.__class__.ARCHIVE_EXTENSIONS)
 		if not len(exts):
 			return flask.make_response("File doesn't have a valid extension for a plugin archive", 400)
 
diff --git a/src/octoprint/plugins/pluginmanager/templates/pluginmanager_settings.jinja2 b/src/octoprint/plugins/pluginmanager/templates/pluginmanager_settings.jinja2
index e0b68560..0c9c721d 100644
--- a/src/octoprint/plugins/pluginmanager/templates/pluginmanager_settings.jinja2
+++ b/src/octoprint/plugins/pluginmanager/templates/pluginmanager_settings.jinja2
@@ -173,7 +173,7 @@
                 <div class="input-prepend span9">
                     <span class="btn fileinput-button">
                         <span>{{ _('Browse...') }}</span>
-                        <input id="settings_plugin_pluginmanager_repositorydialog_upload" type="file" name="file" data-url="{{ url_for("plugin.pluginmanager.upload_archive") }}">
+                        <input id="settings_plugin_pluginmanager_repositorydialog_upload" type="file" name="file" accept="{{ ",".join(plugin_pluginmanager_archive_extensions) }}" data-url="{{ url_for("plugin.pluginmanager.upload_archive") }}">
                     </span>
                     <span class="add-on add-on-limited text-left" data-bind="text: uploadFilename, attr: {title: uploadFilename}"></span>
                 </div>
diff --git a/src/octoprint/templates/dialogs/settings/appearance.jinja2 b/src/octoprint/templates/dialogs/settings/appearance.jinja2
index ea7111ca..c4a95ea4 100644
--- a/src/octoprint/templates/dialogs/settings/appearance.jinja2
+++ b/src/octoprint/templates/dialogs/settings/appearance.jinja2
@@ -88,7 +88,7 @@
                 <div class="input-prepend span9">
                     <span class="btn fileinput-button">
                         <span>{{ _('Browse...') }}</span>
-                        <input id="settings_appearance_managelanguagesdialog_upload" type="file" name="file" data-url="{{ url_for("api.uploadLanguagePack") }}">
+                        <input id="settings_appearance_managelanguagesdialog_upload" type="file" name="file" accept=".zip,.tar.gz,.tgz,.tar" data-url="{{ url_for("api.uploadLanguagePack") }}">
                     </span>
                     <span class="add-on add-on-limited text-left" data-bind="text: translationUploadFilename, attr: {title: translationUploadFilename}"></span>
                 </div>