GNUsocial
/
gnu-social
4
0
Fork 1
Code Issues Releases Wiki Activity

[CORE][GSFile] Respect mimetype whitelist and extensions blacklist before saving files

This commit is contained in:
Diogo Peralta Cordeiro 2021-10-24 15:16:37 +01:00
parent b7d9da8ae6
commit bccafd0d7b
Signed by: diogo
GPG Key ID: 18D2D35001FBFAB0
2 changed files with 64 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
src/Core/GSFile.php
View File

@ -24,6 +24,7 @@ declare(strict_types = 1);
namespace App\Core;
use App\Core\DB\DB;
use App\Util\Exception\FileNotAllowedException;
use function App\Core\I18n\_m;
use App\Entity\Attachment;
use App\Util\Common;
@ -92,14 +93,19 @@ class GSFile
$attachment->setWidth($width);
$attachment->setHeight($height);
$attachment->setSize($file->getSize());
$file->move(Common::config('attachments', 'dir'), $hash);
if (self::isMimetypeAllowed($mimetype)) {
$file->move(Common::config('attachments', 'dir'), $hash);
DB::persist($attachment);
} else {
throw new FileNotAllowedException();
}
}
} catch (NotFoundException) {
// Create an Attachment
// The following properly gets the mimetype with `file` or other
// available methods, so should be safe
$mimetype = mb_substr($file->getMimeType(), 0, 64);
$width = $height = null;
$width = $height = null;
$event_map[$mimetype] = [];
$major_mime = self::mimetypeMajor($mimetype);
$event_map[$major_mime] = [];
@ -123,13 +129,37 @@ class GSFile
'width' => $width,
'height' => $height,
]);
$file->move(Common::config('attachments', 'dir'), $hash);
DB::persist($attachment);
if (self::isMimetypeAllowed($mimetype)) {
$file->move(Common::config('attachments', 'dir'), $hash);
DB::persist($attachment);
} else {
$attachment->setFilename(null);
$attachment->setMimetype(null);
$attachment->setSize(null);
$attachment->setWidth(null);
$attachment->setHeight(null);
DB::persist($attachment);
throw new FileNotAllowedException($mimetype);
}
Event::handle('AttachmentStoreNew', [&$attachment]);
}
return $attachment;
}
/**
* Tests against common config attachment `supported` mimetypes and `ext_blacklist`.
*
* @param string $mimetype
* @return bool true if allowed, false otherwise
*/
public static function isMimetypeAllowed(string $mimetype): bool {
$passed_whitelist = in_array($mimetype, array_keys(Common::config('attachments', 'supported')));
$mime = new MimeTypes();
$passed_blacklist = count(array_intersect($mime->getExtensions($mimetype), Common::config('attachments', 'ext_blacklist'))) === 0;
unset($mime);
return $passed_whitelist && $passed_blacklist;
}
/**
* Include $filepath in the response, for viewing or downloading.
*

30
src/Util/Exception/FileNotAllowedException.php Normal file
View File

@ -0,0 +1,30 @@
<?php
declare(strict_types = 1);
// {{{ License
// This file is part of GNU social - https://www.gnu.org/software/social
//
// GNU social is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// GNU social is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with GNU social. If not, see <http://www.gnu.org/licenses/>.
// }}}
namespace App\Util\Exception;
class FileNotAllowedException extends \InvalidArgumentException
{
public function __construct(string $mimetype)
{
parent::__construct("File mimetype not allowed: '{$mimetype}'.");
}
}