refine blacklisted content detection when downloading files, fixes #1205

Closes #1205 Merge request studip/studip!715

refine blacklisted content detection when downloading files, fixes #1205
dc259559 · Jan-Hendrik Willms · cf373d64 · dc259559 · dc259559
Commit dc259559 authored 2 years ago by Jan-Hendrik Willms
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -1702,12 +1702,9 @@ function rmdirr($dirname){


 /**
- * Determines an appropriate MIME type for a file based on the
- * extension of the file name.
- *
- * @param string $filename      file name to check
+ * Returns the mapping of extensions to supported MIME types.
 */
-function get_mime_type($filename)
+function get_mime_types()
 {
    static $mime_types = [
        // archive types
@@ -1761,6 +1758,19 @@ function get_mime_type($filename)
        'webm' => 'video/webm',
    ];

+    return $mime_types;
+}
+
+
+/**
+ * Determines an appropriate MIME type for a file based on the
+ * extension of the file name.
+ *
+ * @param string $filename      file name to check
+ */
+function get_mime_type($filename)
+{
+    $mime_types = get_mime_types();
    $extension = mb_strtolower(pathinfo($filename, PATHINFO_EXTENSION));

    if (isset($mime_types[$extension])) {

--- a/public/sendfile.php
+++ b/public/sendfile.php
@@ -186,16 +186,9 @@ if (!file_exists($path_file)) {
    throw new Exception(_('Fehler beim Laden der Inhalte der Datei'));
 }

-$content_blacklisted = function ($mime) {
-    foreach (['html', 'javascript', 'svg', 'xml'] as $check) {
-        if (stripos($mime, $check) !== false) {
-            return true;
-        }
-    }
-    return false;
-};
+$allowed_mime_types = get_mime_types();

-if ($content_blacklisted($content_type)) {
+if (!in_array($content_type, $allowed_mime_types)) {
    $content_type = 'application/octet-stream';
 }
 if (Request::int('force_download') || $content_type == "application/octet-stream") {