diff options
| author | Joas Schilling <coding@schilljs.com> | 2016-08-29 16:50:01 +0200 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2016-10-18 16:22:20 +0200 |
| commit | 656e3f7a24d5ce64f10a1c8032f9b76fee1c9908 (patch) | |
| tree | f51887328477f0db2869e7b52fc77e77f49e9968 /core/Controller/AvatarController.php | |
| parent | 6375790263c5fadc72e48c9486b06b28d9e805cb (diff) | |
| download | nextcloud-server-656e3f7a24d5ce64f10a1c8032f9b76fee1c9908.tar.gz nextcloud-server-656e3f7a24d5ce64f10a1c8032f9b76fee1c9908.zip | |
Check the mimetype before reading the content and catch exception
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'core/Controller/AvatarController.php')
| -rw-r--r-- | core/Controller/AvatarController.php | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/core/Controller/AvatarController.php b/core/Controller/AvatarController.php index b27d1182225..c6f320dd0fe 100644 --- a/core/Controller/AvatarController.php +++ b/core/Controller/AvatarController.php @@ -189,7 +189,22 @@ class AvatarController extends Controller { Http::STATUS_BAD_REQUEST ); } - $content = $node->getContent(); + + if ($node->getMimeType() !== 'image/jpeg' && $node->getMimeType() !== 'image/png') { + return new JSONResponse( + ['data' => ['message' => $this->l->t('The selected file is not an image.')]], + Http::STATUS_BAD_REQUEST + ); + } + + try { + $content = $node->getContent(); + } catch (\OCP\Files\NotPermittedException $e) { + return new JSONResponse( + ['data' => ['message' => $this->l->t('The selected file cannot be read.')]], + Http::STATUS_BAD_REQUEST + ); + } } elseif (!is_null($files)) { if ( $files['error'][0] === 0 && |