diff options
| author | Thomas Tanghus <thomas@tanghus.net> | 2014-04-14 17:17:50 +0200 |
|---|---|---|
| committer | Thomas Tanghus <thomas@tanghus.net> | 2014-04-14 17:17:50 +0200 |
| commit | 51e47319ef2ab37d458dc96ba33a26bb851102be (patch) | |
| tree | b23ba6f4a4359a21db51dd9ae36d0def39c07209 | |
| parent | 71de32186936c4afc2e48a566c2d3c6f3fdf365b (diff) | |
| download | nextcloud-server-51e47319ef2ab37d458dc96ba33a26bb851102be.tar.gz nextcloud-server-51e47319ef2ab37d458dc96ba33a26bb851102be.zip | |
White-list known secure mime types. Refs. #8184
| -rw-r--r-- | lib/private/connector/sabre/file.php | 6 | ||||
| -rw-r--r-- | lib/private/files/type/detection.php | 40 | ||||
| -rw-r--r-- | lib/private/helper.php | 10 | ||||
| -rw-r--r-- | lib/private/mimetypes.list.php | 210 | ||||
| -rw-r--r-- | tests/lib/helper.php | 12 |
5 files changed, 166 insertions, 112 deletions
diff --git a/lib/private/connector/sabre/file.php b/lib/private/connector/sabre/file.php index ef6caaf22a7..750d646a8f5 100644 --- a/lib/private/connector/sabre/file.php +++ b/lib/private/connector/sabre/file.php @@ -205,10 +205,12 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D */ public function getContentType() { if (isset($this->fileinfo_cache['mimetype'])) { - return $this->fileinfo_cache['mimetype']; + $mimeType = $this->fileinfo_cache['mimetype']; + } else { + $mimeType = \OC\Files\Filesystem::getMimeType($this->path); } - return \OC\Files\Filesystem::getMimeType($this->path); + return \OC_Helper::getSecureMimeType($mimeType); } diff --git a/lib/private/files/type/detection.php b/lib/private/files/type/detection.php index 11e439032ce..8ee53917814 100644 --- a/lib/private/files/type/detection.php +++ b/lib/private/files/type/detection.php @@ -17,24 +17,40 @@ namespace OC\Files\Type; */ class Detection { protected $mimetypes = array(); + protected $secureMimeTypes = array(); /** - * add an extension -> mimetype mapping + * Add an extension -> mimetype mapping + * + * $mimetype is the assumed correct mime type + * The optional $secureMimeType is an alternative to send to send + * to avoid potential XSS. * * @param string $extension * @param string $mimetype + * @param string|null $secureMimeType */ - public function registerType($extension, $mimetype) { - $this->mimetypes[$extension] = $mimetype; + public function registerType($extension, $mimetype, $secureMimeType = null) { + $this->mimetypes[$extension] = array($mimetype, $secureMimeType); + $this->secureMimeTypes[$mimetype] = $secureMimeType ?: $mimetype; } /** - * add an array of extension -> mimetype mappings + * Add an array of extension -> mimetype mappings + * + * The mimetype value is in itself an array where the first index is + * the assumed correct mimetype and the second is either a secure alternative + * or null if the correct is considered secure. * * @param array $types */ public function registerTypeArray($types) { $this->mimetypes = array_merge($this->mimetypes, $types); + + // Update the alternative mimetypes to avoid having to look them up each time. + foreach ($this->mimetypes as $mimeType) { + $this->secureMimeTypes[$mimeType[0]] = $mimeType[1] ?: $mimeType[0]; + } } /** @@ -48,7 +64,9 @@ class Detection { //try to guess the type by the file extension $extension = strtolower(strrchr(basename($path), ".")); $extension = substr($extension, 1); //remove leading . - return (isset($this->mimetypes[$extension])) ? $this->mimetypes[$extension] : 'application/octet-stream'; + return (isset($this->mimetypes[$extension]) && isset($this->mimetypes[$extension][0])) + ? $this->mimetypes[$extension][0] + : 'application/octet-stream'; } else { return 'application/octet-stream'; } @@ -123,4 +141,16 @@ class Detection { return $mime; } } + + /** + * Get a secure mimetype that won't expose potential XSS. + * + * @param string $mimeType + * @return string + */ + public function getSecureMimeType($mimeType) { + return isset($this->secureMimeTypes[$mimeType]) + ? $this->secureMimeTypes[$mimeType] + : 'application/octet-stream'; + } } diff --git a/lib/private/helper.php b/lib/private/helper.php index da3d3cd1c6e..d5214823de9 100644 --- a/lib/private/helper.php +++ b/lib/private/helper.php @@ -431,6 +431,16 @@ class OC_Helper { } /** + * Get a secure mimetype that won't expose potential XSS. + * + * @param string $mimeType + * @return string + */ + static function getSecureMimeType($mimeType) { + return self::getMimetypeDetector()->getSecureMimeType($mimeType); + } + + /** * get the mimetype form a data string * * @param string $data diff --git a/lib/private/mimetypes.list.php b/lib/private/mimetypes.list.php index 91bcf584267..cdfd2ec0fdd 100644 --- a/lib/private/mimetypes.list.php +++ b/lib/private/mimetypes.list.php @@ -24,109 +24,109 @@ * Array mapping file extensions to mimetypes (in alphabetical order). */ return array( - '7z' => 'application/x-7z-compressed', - 'accdb' => 'application/msaccess', - 'ai' => 'application/illustrator', - 'avi' => 'video/x-msvideo', - 'bash' => 'text/x-shellscript', - 'blend' => 'application/x-blender', - 'bin' => 'application/x-bin', - 'bmp' => 'image/bmp', - 'cb7' => 'application/x-cbr', - 'cba' => 'application/x-cbr', - 'cbr' => 'application/x-cbr', - 'cbt' => 'application/x-cbr', - 'cbtc' => 'application/x-cbr', - 'cbz' => 'application/x-cbr', - 'cc' => 'text/x-c', - 'cdr' => 'application/coreldraw', - 'cpp' => 'text/x-c++src', - 'css' => 'text/css', - 'csv' => 'text/csv', - 'cvbdl' => 'application/x-cbr', - 'c' => 'text/x-c', - 'c++' => 'text/x-c++src', - 'deb' => 'application/x-deb', - 'doc' => 'application/msword', - 'docx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', - 'dot' => 'application/msword', - 'dotx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.template', - 'dv' => 'video/dv', - 'eot' => 'application/vnd.ms-fontobject', - 'epub' => 'application/epub+zip', - 'exe' => 'application/x-ms-dos-executable', - 'flac' => 'audio/flac', - 'gif' => 'image/gif', - 'gz' => 'application/x-gzip', - 'gzip' => 'application/x-gzip', - 'html' => 'text/html', - 'htm' => 'text/html', - 'ical' => 'text/calendar', - 'ics' => 'text/calendar', - 'impress' => 'text/impress', - 'jpeg' => 'image/jpeg', - 'jpg' => 'image/jpeg', - 'js' => 'application/javascript', - 'json' => 'application/json', - 'keynote' => 'application/x-iwork-keynote-sffkey', - 'kra' => 'application/x-krita', - 'm2t' => 'video/mp2t', - 'm4v' => 'video/mp4', - 'markdown' => 'text/markdown', - 'mdown' => 'text/markdown', - 'md' => 'text/markdown', - 'mdb' => 'application/msaccess', - 'mdwn' => 'text/markdown', - 'mkv' => 'video/x-matroska', - 'mobi' => 'application/x-mobipocket-ebook', - 'mov' => 'video/quicktime', - 'mp3' => 'audio/mpeg', - 'mp4' => 'video/mp4', - 'mpeg' => 'video/mpeg', - 'mpg' => 'video/mpeg', - 'msi' => 'application/x-msi', - 'numbers' => 'application/x-iwork-numbers-sffnumbers', - 'odg' => 'application/vnd.oasis.opendocument.graphics', - 'odp' => 'application/vnd.oasis.opendocument.presentation', - 'ods' => 'application/vnd.oasis.opendocument.spreadsheet', - 'odt' => 'application/vnd.oasis.opendocument.text', - 'oga' => 'audio/ogg', - 'ogg' => 'audio/ogg', - 'ogv' => 'video/ogg', - 'otf' => 'font/opentype', - 'pages' => 'application/x-iwork-pages-sffpages', - 'pdf' => 'application/pdf', - 'php' => 'application/x-php', - 'pl' => 'application/x-perl', - 'png' => 'image/png', - 'ppt' => 'application/mspowerpoint', - 'pptx' => 'application/vnd.openxmlformats-officedocument.presentationml.presentation', - 'psd' => 'application/x-photoshop', - 'py' => 'text/x-python', - 'rar' => 'application/x-rar-compressed', - 'reveal' => 'text/reveal', - 'sgf' => 'application/sgf', - 'sh-lib' => 'text/x-shellscript', - 'sh' => 'text/x-shellscript', - 'svg' => 'image/svg+xml', - 'swf' => 'application/x-shockwave-flash', - 'tar' => 'application/x-tar', - 'tar.gz' => 'application/x-compressed', - 'tex' => 'application/x-tex', - 'tgz' => 'application/x-compressed', - 'tiff' => 'image/tiff', - 'tif' => 'image/tiff', - 'ttf' => 'application/x-font-ttf', - 'txt' => 'text/plain', - 'vcard' => 'text/vcard', - 'vcf' => 'text/vcard', - 'wav' => 'audio/wav', - 'webm' => 'video/webm', - 'woff' => 'application/font-woff', - 'wmv' => 'video/x-ms-asf', - 'xcf' => 'application/x-gimp', - 'xls' => 'application/msexcel', - 'xlsx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', - 'xml' => 'application/xml', - 'zip' => 'application/zip', + '7z' => array('application/x-7z-compressed', null), + 'accdb' => array('application/msaccess', null), + 'ai' => array('application/illustrator', null), + 'avi' => array('video/x-msvideo', null), + 'bash' => array('text/x-shellscript', null), + 'blend' => array('application/x-blender', null), + 'bin' => array('application/x-bin', null), + 'bmp' => array('image/bmp', null), + 'cb7' => array('application/x-cbr', null), + 'cba' => array('application/x-cbr', null), + 'cbr' => array('application/x-cbr', null), + 'cbt' => array('application/x-cbr', null), + 'cbtc' => array('application/x-cbr', null), + 'cbz' => array('application/x-cbr', null), + 'cc' => array('text/x-c', null), + 'cdr' => array('application/coreldraw', null), + 'cpp' => array('text/x-c++src', null), + 'css' => array('text/css', null), + 'csv' => array('text/csv', null), + 'cvbdl' => array('application/x-cbr', null), + 'c' => array('text/x-c', null), + 'c++' => array('text/x-c++src', null), + 'deb' => array('application/x-deb', null), + 'doc' => array('application/msword', null), + 'docx' => array('application/vnd.openxmlformats-officedocument.wordprocessingml.document', null), + 'dot' => array('application/msword', null), + 'dotx' => array('application/vnd.openxmlformats-officedocument.wordprocessingml.template', null), + 'dv' => array('video/dv', null), + 'eot' => array('application/vnd.ms-fontobject', null), + 'epub' => array('application/epub+zip', null), + 'exe' => array('application/x-ms-dos-executable', null), + 'flac' => array('audio/flac', null), + 'gif' => array('image/gif', null), + 'gz' => array('application/x-gzip', null), + 'gzip' => array('application/x-gzip', null), + 'html' => array('text/html', 'text/plain'), + 'htm' => array('text/html', 'text/plain'), + 'ical' => array('text/calendar', null), + 'ics' => array('text/calendar', null), + 'impress' => array('text/impress', null), + 'jpeg' => array('image/jpeg', null), + 'jpg' => array('image/jpeg', null), + 'js' => array('application/javascript', 'text/plain'), + 'json' => array('application/json', 'text/plain'), + 'keynote' => array('application/x-iwork-keynote-sffkey', null), + 'kra' => array('application/x-krita', null), + 'm2t' => array('video/mp2t', null), + 'm4v' => array('video/mp4', null), + 'markdown' => array('text/markdown', null), + 'mdown' => array('text/markdown', null), + 'md' => array('text/markdown', null), + 'mdb' => array('application/msaccess', null), + 'mdwn' => array('text/markdown', null), + 'mkv' => array('video/x-matroska', null), + 'mobi' => array('application/x-mobipocket-ebook', null), + 'mov' => array('video/quicktime', null), + 'mp3' => array('audio/mpeg', null), + 'mp4' => array('video/mp4', null), + 'mpeg' => array('video/mpeg', null), + 'mpg' => array('video/mpeg', null), + 'msi' => array('application/x-msi', null), + 'numbers' => array('application/x-iwork-numbers-sffnumbers', null), + 'odg' => array('application/vnd.oasis.opendocument.graphics', null), + 'odp' => array('application/vnd.oasis.opendocument.presentation', null), + 'ods' => array('application/vnd.oasis.opendocument.spreadsheet', null), + 'odt' => array('application/vnd.oasis.opendocument.text', null), + 'oga' => array('audio/ogg', null), + 'ogg' => array('audio/ogg', null), + 'ogv' => array('video/ogg', null), + 'otf' => array('font/opentype', null), + 'pages' => array('application/x-iwork-pages-sffpages', null), + 'pdf' => array('application/pdf', null), + 'php' => array('application/x-php', null), + 'pl' => array('application/x-perl', null), + 'png' => array('image/png', null), + 'ppt' => array('application/mspowerpoint', null), + 'pptx' => array('application/vnd.openxmlformats-officedocument.presentationml.presentation', null), + 'psd' => array('application/x-photoshop', null), + 'py' => array('text/x-python', null), + 'rar' => array('application/x-rar-compressed', null), + 'reveal' => array('text/reveal', null), + 'sgf' => array('application/sgf', null), + 'sh-lib' => array('text/x-shellscript', null), + 'sh' => array('text/x-shellscript', null), + 'svg' => array('image/svg+xml', 'text/plain'), + 'swf' => array('application/x-shockwave-flash', 'application/octet-stream'), + 'tar' => array('application/x-tar', null), + 'tar.gz' => array('application/x-compressed', null), + 'tex' => array('application/x-tex', null), + 'tgz' => array('application/x-compressed', null), + 'tiff' => array('image/tiff', null), + 'tif' => array('image/tiff', null), + 'ttf' => array('application/x-font-ttf', null), + 'txt' => array('text/plain', null), + 'vcard' => array('text/vcard', null), + 'vcf' => array('text/vcard', null), + 'wav' => array('audio/wav', null), + 'webm' => array('video/webm', null), + 'woff' => array('application/font-woff', null), + 'wmv' => array('video/x-ms-asf', null), + 'xcf' => array('application/x-gimp', null), + 'xls' => array('application/msexcel', null), + 'xlsx' => array('application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', null), + 'xml' => array('application/xml', 'text/plain'), + 'zip' => array('application/zip', null), ); diff --git a/tests/lib/helper.php b/tests/lib/helper.php index 0943e6bc1b9..5d319e40f02 100644 --- a/tests/lib/helper.php +++ b/tests/lib/helper.php @@ -71,6 +71,18 @@ class Test_Helper extends PHPUnit_Framework_TestCase { $this->assertEquals($result, $expected); } + function testGetSecureMimeType() { + $dir=OC::$SERVERROOT.'/tests/data'; + + $result = OC_Helper::getSecureMimeType('image/svg+xml'); + $expected = 'text/plain'; + $this->assertEquals($result, $expected); + + $result = OC_Helper::getSecureMimeType('image/png'); + $expected = 'image/png'; + $this->assertEquals($result, $expected); + } + function testGetFileNameMimeType() { $this->assertEquals('text/plain', OC_Helper::getFileNameMimeType('foo.txt')); $this->assertEquals('image/png', OC_Helper::getFileNameMimeType('foo.png')); |