Browse Source

block invalid mime types (+svg)

Andrew Dolgov 5 days ago
parent
commit
5bb365a01e
1 changed files with 9 additions and 2 deletions
  1. 9 2
      backend.php

+ 9 - 2
backend.php

@@ -1080,9 +1080,16 @@
 			if ($ctype == "application/octet-stream")
 				$ctype = "video/mp4";
 
+			# block SVG because of possible embedded javascript (.....)
+			$mimetype_blacklist = [ "image/svg+xml" ];
+
 			/* only serve video and images, send everything else as text/plain */
-			if (!preg_match("/(image|video)\//", $mimetype)) {
-				$ctype = "text/plain";
+			if (!preg_match("/(image|video)\//", $mimetype) || in_array($mimetype, $mimetype_blacklist)) {
+				http_response_code(400);
+				header("Content-type: text/plain");
+
+				print "Stored file has disallowed content type ($mimetype)";
+				return false;
 			}
 
 			header("Content-type: $ctype");