prevent opening non-music files through the media ajax api

author: Robin Appelman <icewind@owncloud.com> 2012-06-09 17:39:14 +0200
committer: Robin Appelman <icewind@owncloud.com> 2012-06-09 17:39:14 +0200
commit: d065b2d29edb4bb72492dde46293e77fa03b50d6 (patch)
tree: 6cc614de150f3fcbbebb39290d33c5ecb8a07000 /apps/media
parent: 601bac746d62540425f7a9e13ffbbc61e12eaca2 (diff)
download: nextcloud-server-d065b2d29edb4bb72492dde46293e77fa03b50d6.tar.gz
nextcloud-server-d065b2d29edb4bb72492dde46293e77fa03b50d6.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/apps/media/ajax/api.php b/apps/media/ajax/api.php
index 6e269f3bb78..a229c17e804 100644
--- a/apps/media/ajax/api.php
+++ b/apps/media/ajax/api.php
@@ -103,6 +103,10 @@ if($arguments['action']){
 			@ob_end_clean();
 			
 			$ftype=OC_Filesystem::getMimeType( $arguments['path'] );
+			if(substr($ftype,0,5)!='audio' and $ftype!='application/ogg'){
+				echo 'Not an audio file';
+				exit();
+			}
 			
 			$songId=OC_MEDIA_COLLECTION::getSongByPath($arguments['path']);
 			OC_MEDIA_COLLECTION::registerPlay($songId);
author	Robin Appelman <icewind@owncloud.com>	2012-06-09 17:39:14 +0200
committer	Robin Appelman <icewind@owncloud.com>	2012-06-09 17:39:14 +0200
commit	d065b2d29edb4bb72492dde46293e77fa03b50d6 (patch)
tree	6cc614de150f3fcbbebb39290d33c5ecb8a07000 /apps/media
parent	601bac746d62540425f7a9e13ffbbc61e12eaca2 (diff)
download	nextcloud-server-d065b2d29edb4bb72492dde46293e77fa03b50d6.tar.gz nextcloud-server-d065b2d29edb4bb72492dde46293e77fa03b50d6.zip