We use cookies to ensure you get the best experience on our website
Trang chủ Khám phá Trợ giúp
Đăng ký Đăng nhập
0ct0pu5
/
listmonk
1
0
Fork 0
Các tập tin Các vấn đề 0 Yêu cầu kéo về 0 Wiki
Browse Source

Add file extsnsion check to media uploads.

While file content (MIME) check already existed, the lack of file
extension check allowed arbitrary extensions to be uploaded and
then accessed via the static file server. For instance, a .html file
with JPG content intersperesed with Javascript.

This commit adds a file extension check on top of the MIME type check.
Kailash Nadh 4 năm trước cách đây
mục cha
69f84c99d0
commit
dba47bca28
2 tập tin đã thay đổi với 22 bổ sung26 xóa
Split View Hiển thị tình trạng sai khác
  1. 16 10
      cmd/media.go
  2. 6 16
      cmd/utils.go

+ 16 - 10
cmd/media.go
Xem Tập Tin 

@@ -4,6 +4,7 @@ import (
 
 	"bytes"
 
 	"mime/multipart"
 
 	"net/http"
 
+	"path/filepath"
 
 	"strconv"
 
 
 	"github.com/disintegration/imaging"
 
@@ -17,13 +18,11 @@ const (
 
 	thumbnailSize = 90
 
 )
 
 
-// imageMimes is the list of image types allowed to be uploaded.
 
-var imageMimes = []string{
 
-	"image/jpg",
 
-	"image/jpeg",
 
-	"image/png",
 
-	"image/svg",
 
-	"image/gif"}
 
+// validMimes is the list of image types allowed to be uploaded.
 
+var (
 
+	validMimes = []string{"image/jpg", "image/jpeg", "image/png", "image/gif"}
 
+	validExts  = []string{".jpg", ".jpeg", ".png", ".gif"}
 
+)
 
 
 // handleUploadMedia handles media file uploads.
 
 func handleUploadMedia(c echo.Context) error {
 
@@ -37,9 +36,16 @@ func handleUploadMedia(c echo.Context) error {
 
 			app.i18n.Ts("media.invalidFile", "error", err.Error()))
 
 	}
 
 
-	// Validate MIME type with the list of allowed types.
 
-	var typ = file.Header.Get("Content-type")
 
-	if ok := validateMIME(typ, imageMimes); !ok {
 
+	// Validate file extension.
 
+	ext := filepath.Ext(file.Filename)
 
+	if ok := inArray(ext, validExts); !ok {
 
+		return echo.NewHTTPError(http.StatusBadRequest,
 
+			app.i18n.Ts("media.unsupportedFileType", "type", ext))
 
+	}
 
+
 
+	// Validate file's mime.
 
+	typ := file.Header.Get("Content-type")
 
+	if ok := inArray(typ, validMimes); !ok {
 
 		return echo.NewHTTPError(http.StatusBadRequest,
 
 			app.i18n.Ts("media.unsupportedFileType", "type", typ))
 
 	}

+ 6 - 16
cmd/utils.go
Xem Tập Tin 

@@ -15,24 +15,14 @@ var (
 
 	tagRegexpSpaces = regexp.MustCompile(`[\s]+`)
 
 )
 
 
-// validateMIME is a helper function to validate uploaded file's MIME type
 
-// against the slice of MIME types is given.
 
-func validateMIME(typ string, mimes []string) (ok bool) {
 
-	if len(mimes) > 0 {
 
-		var (
 
-			ok = false
 
-		)
 
-		for _, m := range mimes {
 
-			if typ == m {
 
-				ok = true
 
-				break
 
-			}
 
-		}
 
-		if !ok {
 
-			return false
 
+// inArray checks if a string is present in a list of strings.
 
+func inArray(val string, vals []string) (ok bool) {
 
+	for _, v := range vals {
 
+		if v == val {
 
+			return true
 
 		}
 
 	}
 
-	return true
 
+	return false
 
 }
 
 
 // generateFileName appends the incoming file's name with a small random hash.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5