From 67439951e6751bb09161514da87a0c14b3831cc1 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Fri, 9 Sep 2016 12:32:56 +0200
Subject: Filter more mimetypes

There's no need to allow more than those defined mimetypes for images.
---
 apps/dav/lib/CardDAV/ImageExportPlugin.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'apps/dav/lib/CardDAV')

diff --git a/apps/dav/lib/CardDAV/ImageExportPlugin.php b/apps/dav/lib/CardDAV/ImageExportPlugin.php
index 31e8ed6a5e5..e48410d26d6 100644
--- a/apps/dav/lib/CardDAV/ImageExportPlugin.php
+++ b/apps/dav/lib/CardDAV/ImageExportPlugin.php
@@ -87,6 +87,7 @@ class ImageExportPlugin extends ServerPlugin {
 
 		if ($result = $this->getPhoto($node)) {
 			$response->setHeader('Content-Type', $result['Content-Type']);
+			$response->setHeader('Content-Disposition', 'attachment');
 			$response->setStatus(200);
 
 			$response->setBody($result['body']);
@@ -121,6 +122,17 @@ class ImageExportPlugin extends ServerPlugin {
 				}
 				$val = file_get_contents($val);
 			}
+
+			$allowedContentTypes = [
+				'image/png',
+				'image/jpeg',
+				'image/gif',
+			];
+
+			if(!in_array($type, $allowedContentTypes, true)) {
+				$type = 'application/octet-stream';
+			}
+
 			return [
 				'Content-Type' => $type,
 				'body' => $val
-- 
cgit v1.2.3