From 67439951e6751bb09161514da87a0c14b3831cc1 Mon Sep 17 00:00:00 2001 From: Lukas Reschke <lukas@statuscode.ch> Date: Fri, 9 Sep 2016 12:32:56 +0200 Subject: Filter more mimetypes There's no need to allow more than those defined mimetypes for images. --- apps/dav/lib/CardDAV/ImageExportPlugin.php | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'apps/dav/lib/CardDAV') diff --git a/apps/dav/lib/CardDAV/ImageExportPlugin.php b/apps/dav/lib/CardDAV/ImageExportPlugin.php index 31e8ed6a5e5..e48410d26d6 100644 --- a/apps/dav/lib/CardDAV/ImageExportPlugin.php +++ b/apps/dav/lib/CardDAV/ImageExportPlugin.php @@ -87,6 +87,7 @@ class ImageExportPlugin extends ServerPlugin { if ($result = $this->getPhoto($node)) { $response->setHeader('Content-Type', $result['Content-Type']); + $response->setHeader('Content-Disposition', 'attachment'); $response->setStatus(200); $response->setBody($result['body']); @@ -121,6 +122,17 @@ class ImageExportPlugin extends ServerPlugin { } $val = file_get_contents($val); } + + $allowedContentTypes = [ + 'image/png', + 'image/jpeg', + 'image/gif', + ]; + + if(!in_array($type, $allowedContentTypes, true)) { + $type = 'application/octet-stream'; + } + return [ 'Content-Type' => $type, 'body' => $val -- cgit v1.2.3