diff options
author | Gabriel Vasile <gabriel.vasile@email.com> | 2021-11-27 13:12:43 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-11-27 19:12:43 +0800 |
commit | 2e8fc5b034d7a2ceb22f264193a157230b48365a (patch) | |
tree | 7d7512cc7390ed105ee701d0f95106c8534941d8 | |
parent | 789d251ae4223fb3fe6c42333cb6731d8ebde05e (diff) | |
download | gitea-2e8fc5b034d7a2ceb22f264193a157230b48365a.tar.gz gitea-2e8fc5b034d7a2ceb22f264193a157230b48365a.zip |
Replace regex usage for MIME parsing (#17831)
MIME types can have multiple optional parameters, eg:
video/webm; codecs="w/e codec"; charset="binary"
This commit replaces the usage of regex for getting the "type/subtype"
with mime.ParseMediaType.
-rw-r--r-- | modules/upload/upload.go | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/modules/upload/upload.go b/modules/upload/upload.go index 097facb4d5..9d20f1082f 100644 --- a/modules/upload/upload.go +++ b/modules/upload/upload.go @@ -5,6 +5,7 @@ package upload import ( + "mime" "net/http" "net/url" "path" @@ -31,7 +32,6 @@ func (err ErrFileTypeForbidden) Error() string { return "This file extension or type is not allowed to be uploaded." } -var mimeTypeSuffixRe = regexp.MustCompile(`;.*$`) var wildcardTypeRe = regexp.MustCompile(`^[a-z]+/\*$`) // Verify validates whether a file is allowed to be uploaded. @@ -51,7 +51,11 @@ func Verify(buf []byte, fileName string, allowedTypesStr string) error { } fullMimeType := http.DetectContentType(buf) - mimeType := strings.TrimSpace(mimeTypeSuffixRe.ReplaceAllString(fullMimeType, "")) + mimeType, _, err := mime.ParseMediaType(fullMimeType) + if err != nil { + log.Warn("Detected attachment type could not be parsed %s", fullMimeType) + return ErrFileTypeForbidden{Type: fullMimeType} + } extension := strings.ToLower(path.Ext(fileName)) // https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/file#Unique_file_type_specifiers |