aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMorris Jobke <hey@morrisjobke.de>2016-09-09 14:46:44 +0200
committerGitHub <noreply@github.com>2016-09-09 14:46:44 +0200
commitf6c7b4e6ebe9c16d4cdd6ac79748bec8eb2dc7eb (patch)
tree27c4c2aade1c9e95a44f904dc85a3dcf7067f4c3
parentf5aafdc89789623e72f9a05ecc2629ed2894668b (diff)
parent67439951e6751bb09161514da87a0c14b3831cc1 (diff)
downloadnextcloud-server-f6c7b4e6ebe9c16d4cdd6ac79748bec8eb2dc7eb.tar.gz
nextcloud-server-f6c7b4e6ebe9c16d4cdd6ac79748bec8eb2dc7eb.zip
Merge pull request #1339 from nextcloud/master-limit-possible-image-mimetypes
Filter more mimetypes
-rw-r--r--apps/dav/lib/CardDAV/ImageExportPlugin.php12
-rw-r--r--apps/dav/tests/unit/CardDAV/ImageExportPluginTest.php60
2 files changed, 63 insertions, 9 deletions
diff --git a/apps/dav/lib/CardDAV/ImageExportPlugin.php b/apps/dav/lib/CardDAV/ImageExportPlugin.php
index 31e8ed6a5e5..e48410d26d6 100644
--- a/apps/dav/lib/CardDAV/ImageExportPlugin.php
+++ b/apps/dav/lib/CardDAV/ImageExportPlugin.php
@@ -87,6 +87,7 @@ class ImageExportPlugin extends ServerPlugin {
if ($result = $this->getPhoto($node)) {
$response->setHeader('Content-Type', $result['Content-Type']);
+ $response->setHeader('Content-Disposition', 'attachment');
$response->setStatus(200);
$response->setBody($result['body']);
@@ -121,6 +122,17 @@ class ImageExportPlugin extends ServerPlugin {
}
$val = file_get_contents($val);
}
+
+ $allowedContentTypes = [
+ 'image/png',
+ 'image/jpeg',
+ 'image/gif',
+ ];
+
+ if(!in_array($type, $allowedContentTypes, true)) {
+ $type = 'application/octet-stream';
+ }
+
return [
'Content-Type' => $type,
'body' => $val
diff --git a/apps/dav/tests/unit/CardDAV/ImageExportPluginTest.php b/apps/dav/tests/unit/CardDAV/ImageExportPluginTest.php
index 229fa7ec6f2..e878cbd4f59 100644
--- a/apps/dav/tests/unit/CardDAV/ImageExportPluginTest.php
+++ b/apps/dav/tests/unit/CardDAV/ImageExportPluginTest.php
@@ -107,9 +107,20 @@ class ImageExportPluginTest extends TestCase {
$this->plugin->expects($this->once())->method('getPhoto')->willReturn($getPhotoResult);
if (!$expected) {
- $this->response->expects($this->once())->method('setHeader');
- $this->response->expects($this->once())->method('setStatus');
- $this->response->expects($this->once())->method('setBody');
+ $this->response
+ ->expects($this->at(0))
+ ->method('setHeader')
+ ->with('Content-Type', $getPhotoResult['Content-Type']);
+ $this->response
+ ->expects($this->at(1))
+ ->method('setHeader')
+ ->with('Content-Disposition', 'attachment');
+ $this->response
+ ->expects($this->once())
+ ->method('setStatus');
+ $this->response
+ ->expects($this->once())
+ ->method('setBody');
}
$result = $this->plugin->httpGet($this->request, $this->response);
@@ -142,12 +153,43 @@ class ImageExportPluginTest extends TestCase {
public function providesPhotoData() {
return [
- 'empty vcard' => [false, ''],
- 'vcard without PHOTO' => [false, "BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nEND:VCARD\r\n"],
- 'vcard 3 with PHOTO' => [['Content-Type' => 'image/jpeg', 'body' => '12345'], "BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;ENCODING=b;TYPE=JPEG:MTIzNDU=\r\nEND:VCARD\r\n"],
- 'vcard 3 with PHOTO URL' => [false, "BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;TYPE=JPEG;VALUE=URI:http://example.com/photo.jpg\r\nEND:VCARD\r\n"],
- 'vcard 4 with PHOTO' => [['Content-Type' => 'image/jpeg', 'body' => '12345'], "BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO:\r\nEND:VCARD\r\n"],
- 'vcard 4 with PHOTO URL' => [false, "BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;MEDIATYPE=image/jpeg:http://example.org/photo.jpg\r\nEND:VCARD\r\n"],
+ 'empty vcard' => [
+ false,
+ ''
+ ],
+ 'vcard without PHOTO' => [
+ false,
+ "BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nEND:VCARD\r\n"
+ ],
+ 'vcard 3 with PHOTO' => [
+ [
+ 'Content-Type' => 'image/jpeg',
+ 'body' => '12345'
+ ],
+ "BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;ENCODING=b;TYPE=JPEG:MTIzNDU=\r\nEND:VCARD\r\n"
+ ],
+ 'vcard 3 with PHOTO URL' => [
+ false,
+ "BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;TYPE=JPEG;VALUE=URI:http://example.com/photo.jpg\r\nEND:VCARD\r\n"
+ ],
+ 'vcard 4 with PHOTO' => [
+ [
+ 'Content-Type' => 'image/jpeg',
+ 'body' => '12345'
+ ],
+ "BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO:\r\nEND:VCARD\r\n"
+ ],
+ 'vcard 4 with PHOTO URL' => [
+ false,
+ "BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;MEDIATYPE=image/jpeg:http://example.org/photo.jpg\r\nEND:VCARD\r\n"
+ ],
+ 'vcard 4 with PHOTO AND INVALID MIMEtYPE' => [
+ [
+ 'Content-Type' => 'application/octet-stream',
+ 'body' => '12345'
+ ],
+ "BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO:\r\nEND:VCARD\r\n"
+ ],
];
}
}