diff options
| author | Thomas Tanghus <thomas@tanghus.net> | 2014-04-14 17:17:50 +0200 |
|---|---|---|
| committer | Thomas Tanghus <thomas@tanghus.net> | 2014-04-14 17:17:50 +0200 |
| commit | 51e47319ef2ab37d458dc96ba33a26bb851102be (patch) | |
| tree | b23ba6f4a4359a21db51dd9ae36d0def39c07209 /lib/private/files | |
| parent | 71de32186936c4afc2e48a566c2d3c6f3fdf365b (diff) | |
| download | nextcloud-server-51e47319ef2ab37d458dc96ba33a26bb851102be.tar.gz nextcloud-server-51e47319ef2ab37d458dc96ba33a26bb851102be.zip | |
White-list known secure mime types. Refs. #8184
Diffstat (limited to 'lib/private/files')
| -rw-r--r-- | lib/private/files/type/detection.php | 40 |
1 files changed, 35 insertions, 5 deletions
diff --git a/lib/private/files/type/detection.php b/lib/private/files/type/detection.php index 11e439032ce..8ee53917814 100644 --- a/lib/private/files/type/detection.php +++ b/lib/private/files/type/detection.php @@ -17,24 +17,40 @@ namespace OC\Files\Type; */ class Detection { protected $mimetypes = array(); + protected $secureMimeTypes = array(); /** - * add an extension -> mimetype mapping + * Add an extension -> mimetype mapping + * + * $mimetype is the assumed correct mime type + * The optional $secureMimeType is an alternative to send to send + * to avoid potential XSS. * * @param string $extension * @param string $mimetype + * @param string|null $secureMimeType */ - public function registerType($extension, $mimetype) { - $this->mimetypes[$extension] = $mimetype; + public function registerType($extension, $mimetype, $secureMimeType = null) { + $this->mimetypes[$extension] = array($mimetype, $secureMimeType); + $this->secureMimeTypes[$mimetype] = $secureMimeType ?: $mimetype; } /** - * add an array of extension -> mimetype mappings + * Add an array of extension -> mimetype mappings + * + * The mimetype value is in itself an array where the first index is + * the assumed correct mimetype and the second is either a secure alternative + * or null if the correct is considered secure. * * @param array $types */ public function registerTypeArray($types) { $this->mimetypes = array_merge($this->mimetypes, $types); + + // Update the alternative mimetypes to avoid having to look them up each time. + foreach ($this->mimetypes as $mimeType) { + $this->secureMimeTypes[$mimeType[0]] = $mimeType[1] ?: $mimeType[0]; + } } /** @@ -48,7 +64,9 @@ class Detection { //try to guess the type by the file extension $extension = strtolower(strrchr(basename($path), ".")); $extension = substr($extension, 1); //remove leading . - return (isset($this->mimetypes[$extension])) ? $this->mimetypes[$extension] : 'application/octet-stream'; + return (isset($this->mimetypes[$extension]) && isset($this->mimetypes[$extension][0])) + ? $this->mimetypes[$extension][0] + : 'application/octet-stream'; } else { return 'application/octet-stream'; } @@ -123,4 +141,16 @@ class Detection { return $mime; } } + + /** + * Get a secure mimetype that won't expose potential XSS. + * + * @param string $mimeType + * @return string + */ + public function getSecureMimeType($mimeType) { + return isset($this->secureMimeTypes[$mimeType]) + ? $this->secureMimeTypes[$mimeType] + : 'application/octet-stream'; + } } |