From dc2595597b23d050d44278cf5a43166e1182d81d Mon Sep 17 00:00:00 2001
From: Jan-Hendrik Willms <tleilax+studip@gmail.com>
Date: Wed, 22 Jun 2022 16:11:40 +0000
Subject: [PATCH] refine blacklisted content detection when downloading files,
 fixes #1205

Closes #1205

Merge request studip/studip!715
---
 lib/functions.php   | 20 +++++++++++++++-----
 public/sendfile.php | 11 ++---------
 2 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/lib/functions.php b/lib/functions.php
index a6b8f6d8173..c4ff703ff46 100644
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -1702,12 +1702,9 @@ function rmdirr($dirname){
 
 
 /**
- * Determines an appropriate MIME type for a file based on the
- * extension of the file name.
- *
- * @param string $filename      file name to check
+ * Returns the mapping of extensions to supported MIME types.
  */
-function get_mime_type($filename)
+function get_mime_types()
 {
     static $mime_types = [
         // archive types
@@ -1761,6 +1758,19 @@ function get_mime_type($filename)
         'webm' => 'video/webm',
     ];
 
+    return $mime_types;
+}
+
+
+/**
+ * Determines an appropriate MIME type for a file based on the
+ * extension of the file name.
+ *
+ * @param string $filename      file name to check
+ */
+function get_mime_type($filename)
+{
+    $mime_types = get_mime_types();
     $extension = mb_strtolower(pathinfo($filename, PATHINFO_EXTENSION));
 
     if (isset($mime_types[$extension])) {
diff --git a/public/sendfile.php b/public/sendfile.php
index 5485ca297e6..80084083c2c 100644
--- a/public/sendfile.php
+++ b/public/sendfile.php
@@ -186,16 +186,9 @@ if (!file_exists($path_file)) {
     throw new Exception(_('Fehler beim Laden der Inhalte der Datei'));
 }
 
-$content_blacklisted = function ($mime) {
-    foreach (['html', 'javascript', 'svg', 'xml'] as $check) {
-        if (stripos($mime, $check) !== false) {
-            return true;
-        }
-    }
-    return false;
-};
+$allowed_mime_types = get_mime_types();
 
-if ($content_blacklisted($content_type)) {
+if (!in_array($content_type, $allowed_mime_types)) {
     $content_type = 'application/octet-stream';
 }
 if (Request::int('force_download') || $content_type == "application/octet-stream") {
-- 
GitLab