mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #1340 from nextcloud/stable10-limit-possible-image-mimetypes 

[stable10] Filter more mimetypes
This commit is contained in:
Morris Jobke 2016-09-09 15:12:26 +02:00 committed by GitHub
parent b9100da2e8 68ab8325c7
commit 3270da0890
2 changed files with 63 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
apps/dav/lib/CardDAV/ImageExportPlugin.php
View File

@ -87,6 +87,7 @@ class ImageExportPlugin extends ServerPlugin {
if ($result = $this->getPhoto($node)) {
$response->setHeader('Content-Type', $result['Content-Type']);
$response->setHeader('Content-Disposition', 'attachment');
$response->setStatus(200);
$response->setBody($result['body']);
@ -121,6 +122,17 @@ class ImageExportPlugin extends ServerPlugin {
}
$val = file_get_contents($val);
}
$allowedContentTypes = [
'image/png',
'image/jpeg',
'image/gif',
];
if(!in_array($type, $allowedContentTypes, true)) {
$type = 'application/octet-stream';
}
return [
'Content-Type' => $type,
'body' => $val

60
apps/dav/tests/unit/CardDAV/ImageExportPluginTest.php
View File

@ -107,9 +107,20 @@ class ImageExportPluginTest extends TestCase {
$this->plugin->expects($this->once())->method('getPhoto')->willReturn($getPhotoResult);
if (!$expected) {
$this->response->expects($this->once())->method('setHeader');
$this->response->expects($this->once())->method('setStatus');
$this->response->expects($this->once())->method('setBody');
$this->response
->expects($this->at(0))
->method('setHeader')
->with('Content-Type', $getPhotoResult['Content-Type']);
$this->response
->expects($this->at(1))
->method('setHeader')
->with('Content-Disposition', 'attachment');
$this->response
->expects($this->once())
->method('setStatus');
$this->response
->expects($this->once())
->method('setBody');
}
$result = $this->plugin->httpGet($this->request, $this->response);
@ -142,12 +153,43 @@ class ImageExportPluginTest extends TestCase {
public function providesPhotoData() {
return [
'empty vcard' => [false, ''],
'vcard without PHOTO' => [false, "BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nEND:VCARD\r\n"],
'vcard 3 with PHOTO' => [['Content-Type' => 'image/jpeg', 'body' => '12345'], "BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;ENCODING=b;TYPE=JPEG:MTIzNDU=\r\nEND:VCARD\r\n"],
'vcard 3 with PHOTO URL' => [false, "BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;TYPE=JPEG;VALUE=URI:http://example.com/photo.jpg\r\nEND:VCARD\r\n"],
'vcard 4 with PHOTO' => [['Content-Type' => 'image/jpeg', 'body' => '12345'], "BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO:data:image/jpeg;base64,MTIzNDU=\r\nEND:VCARD\r\n"],
'vcard 4 with PHOTO URL' => [false, "BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;MEDIATYPE=image/jpeg:http://example.org/photo.jpg\r\nEND:VCARD\r\n"],
'empty vcard' => [
false,
''
],
'vcard without PHOTO' => [
false,
"BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nEND:VCARD\r\n"
],
'vcard 3 with PHOTO' => [
[
'Content-Type' => 'image/jpeg',
'body' => '12345'
],
"BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;ENCODING=b;TYPE=JPEG:MTIzNDU=\r\nEND:VCARD\r\n"
],
'vcard 3 with PHOTO URL' => [
false,
"BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;TYPE=JPEG;VALUE=URI:http://example.com/photo.jpg\r\nEND:VCARD\r\n"
],
'vcard 4 with PHOTO' => [
[
'Content-Type' => 'image/jpeg',
'body' => '12345'
],
"BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO:data:image/jpeg;base64,MTIzNDU=\r\nEND:VCARD\r\n"
],
'vcard 4 with PHOTO URL' => [
false,
"BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;MEDIATYPE=image/jpeg:http://example.org/photo.jpg\r\nEND:VCARD\r\n"
],
'vcard 4 with PHOTO AND INVALID MIMEtYPE' => [
[
'Content-Type' => 'application/octet-stream',
'body' => '12345'
],
"BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO:data:image/svg;base64,MTIzNDU=\r\nEND:VCARD\r\n"
],
];
}
}