refine blacklisted content detection when downloading files, fixes #1205

Closes #1205

Merge request studip/studip!715

lib/functions.php

@@ -1702,12 +1702,9 @@ function rmdirr($dirname){
 
 
 /**
- * Determines an appropriate MIME type for a file based on the
- * extension of the file name.
- *
- * @param string $filename      file name to check
+ * Returns the mapping of extensions to supported MIME types.
  */
-function get_mime_type($filename)
+function get_mime_types()
 {
     static $mime_types = [
         // archive types
@@ -1761,6 +1758,19 @@ function get_mime_type($filename)
         'webm' => 'video/webm',
     ];
 
+    return $mime_types;
+}
+
+
+/**
+ * Determines an appropriate MIME type for a file based on the
+ * extension of the file name.
+ *
+ * @param string $filename      file name to check
+ */
+function get_mime_type($filename)
+{
+    $mime_types = get_mime_types();
     $extension = mb_strtolower(pathinfo($filename, PATHINFO_EXTENSION));
 
     if (isset($mime_types[$extension])) {

public/sendfile.php

@@ -186,16 +186,9 @@ if (!file_exists($path_file)) {
     throw new Exception(_('Fehler beim Laden der Inhalte der Datei'));
 }
 
-$content_blacklisted = function ($mime) {
-    foreach (['html', 'javascript', 'svg', 'xml'] as $check) {
-        if (stripos($mime, $check) !== false) {
-            return true;
-        }
-    }
-    return false;
-};
+$allowed_mime_types = get_mime_types();
 
-if ($content_blacklisted($content_type)) {
+if (!in_array($content_type, $allowed_mime_types)) {
     $content_type = 'application/octet-stream';
 }
 if (Request::int('force_download') || $content_type == "application/octet-stream") {