Merge pull request #9503 from nextcloud/bugfix/noid/theming-mime-check

Check mime type properly in theming app
author: Morris Jobke <hey@morrisjobke.de> 2018-05-17 15:48:44 +0200
committer: GitHub <noreply@github.com> 2018-05-17 15:48:44 +0200
commit: 63d5491a73732e3345c0a026cffbc77c42906173 (patch)
tree: 4b8fe0a7ab96d99e94ec9a42ef5adbdcf327d662 /apps
parent: ef665fde426d770f31d8d4349d047734d27b87d0 (diff)
parent: 5b3ca8f7c69f5fd44e0970f2bf10eb3ba4dad7ab (diff)
download: nextcloud-server-63d5491a73732e3345c0a026cffbc77c42906173.tar.gz
nextcloud-server-63d5491a73732e3345c0a026cffbc77c42906173.zip
2 files changed, 13 insertions, 8 deletions
diff --git a/apps/theming/lib/Controller/ThemingController.php b/apps/theming/lib/Controller/ThemingController.php
index 421af051998..e4a8f0b5036 100644
--- a/apps/theming/lib/Controller/ThemingController.php
+++ b/apps/theming/lib/Controller/ThemingController.php
@@ -248,8 +248,9 @@ class ThemingController extends Controller {
 		}
 
 		$target = $folder->newFile($key);
-		$supportedFormats = ['image/jpeg', 'image/png', 'image/gif', 'image/svg+xml', 'text/svg'];
-		if (!in_array($image['type'], $supportedFormats)) {
+		$supportedFormats = ['image/jpeg', 'image/png', 'image/gif', 'image/svg+xml', 'image/svg'];
+		$detectedMimeType = mime_content_type($image['tmp_name']);
+		if (!in_array($image['type'], $supportedFormats) || !in_array($detectedMimeType, $supportedFormats)) {
 			return new DataResponse(
 				[
 					'data' => [
@@ -353,6 +354,7 @@ class ThemingController extends Controller {
 		$response->addHeader('Expires', $expires->format(\DateTime::RFC2822));
 		$response->addHeader('Pragma', 'cache');
 		$response->addHeader('Content-Type', $this->config->getAppValue($this->appName, $key . 'Mime', ''));
+		$response->addHeader('Content-Disposition', 'attachment; filename="' . $key . '"');
 		return $response;
 	}
 
diff --git a/apps/theming/tests/Controller/ThemingControllerTest.php b/apps/theming/tests/Controller/ThemingControllerTest.php
index dda881525f0..eddf5bc56dc 100644
--- a/apps/theming/tests/Controller/ThemingControllerTest.php
+++ b/apps/theming/tests/Controller/ThemingControllerTest.php
@@ -255,7 +255,7 @@ class ThemingControllerTest extends TestCase {
 			->method('getUploadedFile')
 			->with('image')
 			->willReturn([
-				'tmp_name' => 'logo.pdf',
+				'tmp_name' => __DIR__  . '/../../../../tests/data/lorem.txt',
 				'type' => 'application/pdf',
 				'name' => 'logo.pdf',
 				'error' => 0,
@@ -295,7 +295,7 @@ class ThemingControllerTest extends TestCase {
 			['image/gif'],
 			['image/png'],
 			['image/svg+xml'],
-			['text/svg'],
+			['image/svg']
 		];
 	}
 
@@ -305,6 +305,7 @@ class ThemingControllerTest extends TestCase {
 		$destination = \OC::$server->getTempManager()->getTemporaryFolder();
 
 		touch($tmpLogo);
+		copy(__DIR__ . '/../../../../tests/data/testimage.png', $tmpLogo);
 		$this->request
 			->expects($this->at(0))
 			->method('getParam')
@@ -377,10 +378,10 @@ class ThemingControllerTest extends TestCase {
 
 	/** @dataProvider dataUpdateImages */
 	public function testUpdateLogoLoginScreenUpload($folderExists) {
-		$tmpLogo = \OC::$server->getTempManager()->getTemporaryFolder() . '/logo.svg';
+		$tmpLogo = \OC::$server->getTempManager()->getTemporaryFolder() . 'logo.png';
 
 		touch($tmpLogo);
-		file_put_contents($tmpLogo, file_get_contents(__DIR__  . '/../../../../tests/data/desktopapp.png'));
+		copy(__DIR__ . '/../../../../tests/data/desktopapp.png', $tmpLogo);
 		$this->request
 			->expects($this->at(0))
 			->method('getParam')
@@ -392,7 +393,7 @@ class ThemingControllerTest extends TestCase {
 			->with('image')
 			->willReturn([
 				'tmp_name' => $tmpLogo,
-				'type' => 'text/svg',
+				'type' => 'image/svg+xml',
 				'name' => 'logo.svg',
 				'error' => 0,
 			]);
@@ -524,7 +525,7 @@ class ThemingControllerTest extends TestCase {
 			->with('image')
 			->willReturn([
 				'tmp_name' => '',
-				'type' => 'text/svg',
+				'type' => 'image/svg+xml',
 				'name' => 'logo.svg',
 				'error' => $error,
 			]);
@@ -700,6 +701,7 @@ class ThemingControllerTest extends TestCase {
 		$expected->addHeader('Expires', $expires->format(\DateTime::RFC2822));
 		$expected->addHeader('Pragma', 'cache');
 		$expected->addHeader('Content-Type', 'text/svg');
+		$expected->addHeader('Content-Disposition', 'attachment; filename="logo"');
 		@$this->assertEquals($expected, $this->themingController->getImage('logo'));
 	}
 
@@ -732,6 +734,7 @@ class ThemingControllerTest extends TestCase {
 		$expected->addHeader('Expires', $expires->format(\DateTime::RFC2822));
 		$expected->addHeader('Pragma', 'cache');
 		$expected->addHeader('Content-Type', 'image/png');
+		$expected->addHeader('Content-Disposition', 'attachment; filename="background"');
 		@$this->assertEquals($expected, $this->themingController->getImage('background'));
 	}
author	Morris Jobke <hey@morrisjobke.de>	2018-05-17 15:48:44 +0200
committer	GitHub <noreply@github.com>	2018-05-17 15:48:44 +0200
commit	63d5491a73732e3345c0a026cffbc77c42906173 (patch)
tree	4b8fe0a7ab96d99e94ec9a42ef5adbdcf327d662 /apps
parent	ef665fde426d770f31d8d4349d047734d27b87d0 (diff)
parent	5b3ca8f7c69f5fd44e0970f2bf10eb3ba4dad7ab (diff)
download	nextcloud-server-63d5491a73732e3345c0a026cffbc77c42906173.tar.gz nextcloud-server-63d5491a73732e3345c0a026cffbc77c42906173.zip