summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJulius Härtl <jus@bitgrid.net>2018-05-17 11:24:19 +0200
committerJulius Härtl <jus@bitgrid.net>2018-05-17 11:46:01 +0200
commit2bf51c7b9eee1da51e7c0f7a5cbcd76d06fdc9fa (patch)
treed2f7f86fe148a3f583046322c9082fd72363c4c1
parent0dcb6b267524b645d3e058b935bf8f6b31bf1f56 (diff)
downloadnextcloud-server-2bf51c7b9eee1da51e7c0f7a5cbcd76d06fdc9fa.tar.gz
nextcloud-server-2bf51c7b9eee1da51e7c0f7a5cbcd76d06fdc9fa.zip
Properly check mime type of the uploaded file
Signed-off-by: Julius Härtl <jus@bitgrid.net>
-rw-r--r--apps/theming/lib/Controller/ThemingController.php5
-rw-r--r--apps/theming/tests/Controller/ThemingControllerTest.php13
2 files changed, 10 insertions, 8 deletions
diff --git a/apps/theming/lib/Controller/ThemingController.php b/apps/theming/lib/Controller/ThemingController.php
index 421af051998..5e1e3d08dc9 100644
--- a/apps/theming/lib/Controller/ThemingController.php
+++ b/apps/theming/lib/Controller/ThemingController.php
@@ -248,8 +248,9 @@ class ThemingController extends Controller {
}
$target = $folder->newFile($key);
- $supportedFormats = ['image/jpeg', 'image/png', 'image/gif', 'image/svg+xml', 'text/svg'];
- if (!in_array($image['type'], $supportedFormats)) {
+ $supportedFormats = ['image/jpeg', 'image/png', 'image/gif', 'image/svg+xml', 'image/svg'];
+ $detectedMimeType = mime_content_type($image['tmp_name']);
+ if (!in_array($image['type'], $supportedFormats) || !in_array($detectedMimeType, $supportedFormats)) {
return new DataResponse(
[
'data' => [
diff --git a/apps/theming/tests/Controller/ThemingControllerTest.php b/apps/theming/tests/Controller/ThemingControllerTest.php
index dda881525f0..6d756c13a5a 100644
--- a/apps/theming/tests/Controller/ThemingControllerTest.php
+++ b/apps/theming/tests/Controller/ThemingControllerTest.php
@@ -255,7 +255,7 @@ class ThemingControllerTest extends TestCase {
->method('getUploadedFile')
->with('image')
->willReturn([
- 'tmp_name' => 'logo.pdf',
+ 'tmp_name' => __DIR__ . '/../../../../tests/data/lorem.txt',
'type' => 'application/pdf',
'name' => 'logo.pdf',
'error' => 0,
@@ -295,7 +295,7 @@ class ThemingControllerTest extends TestCase {
['image/gif'],
['image/png'],
['image/svg+xml'],
- ['text/svg'],
+ ['image/svg']
];
}
@@ -305,6 +305,7 @@ class ThemingControllerTest extends TestCase {
$destination = \OC::$server->getTempManager()->getTemporaryFolder();
touch($tmpLogo);
+ copy(__DIR__ . '/../../../../tests/data/testimagelarge.svg', $tmpLogo);
$this->request
->expects($this->at(0))
->method('getParam')
@@ -377,10 +378,10 @@ class ThemingControllerTest extends TestCase {
/** @dataProvider dataUpdateImages */
public function testUpdateLogoLoginScreenUpload($folderExists) {
- $tmpLogo = \OC::$server->getTempManager()->getTemporaryFolder() . '/logo.svg';
+ $tmpLogo = \OC::$server->getTempManager()->getTemporaryFolder() . 'logo.png';
touch($tmpLogo);
- file_put_contents($tmpLogo, file_get_contents(__DIR__ . '/../../../../tests/data/desktopapp.png'));
+ copy(__DIR__ . '/../../../../tests/data/desktopapp.png', $tmpLogo);
$this->request
->expects($this->at(0))
->method('getParam')
@@ -392,7 +393,7 @@ class ThemingControllerTest extends TestCase {
->with('image')
->willReturn([
'tmp_name' => $tmpLogo,
- 'type' => 'text/svg',
+ 'type' => 'image/svg+xml',
'name' => 'logo.svg',
'error' => 0,
]);
@@ -524,7 +525,7 @@ class ThemingControllerTest extends TestCase {
->with('image')
->willReturn([
'tmp_name' => '',
- 'type' => 'text/svg',
+ 'type' => 'image/svg+xml',
'name' => 'logo.svg',
'error' => $error,
]);