Commit 0c522e73 authored by Seamus Lee's avatar Seamus Lee

Strength mime checking by comparing mime-type to the file path mime-type if we...

Strength mime checking by comparing mime-type to the file path mime-type if we have entity_id and file id otherwise only permit image mime_types to be accepted if going via the filename route

Ensure mimetype is set in the case where we are passing it through and its valid

Remove Whitelisting of mime-types as not useful and only check mime-types if we have had one passed in
parent 377dc728
......@@ -68,15 +68,23 @@ class CRM_Core_Page_File extends CRM_Core_Page {
$mimeType = '';
$path = CRM_Core_Config::singleton()->customFileUploadDir . $fileName;
}
$mimeType = CRM_Utils_Request::retrieveValue('mime-type', 'String', $mimeType, FALSE);
$passedInMimeType = CRM_Utils_Request::retrieveValue('mime-type', 'String', $mimeType, FALSE);
if (!$path) {
CRM_Core_Error::statusBounce('Could not retrieve the file');
}
$testMimeType = CRM_Utils_File::getMimeType($path);
if ($testMimeType != $mimeType) {
throw new CRM_Core_Exception("Supplied Mime Type does not match file Mime Type");
if (!empty($mimeType) && !empty($passedInMimeType)) {
if ($passedInMimeType != $mimeType) {
throw new CRM_Core_Exception("Supplied Mime Type does not match file Mime Type");
}
}
elseif (!empty($passedInMimeType)) {
$testMimeType = CRM_Utils_File::getMimeType($path);
if ($testMimeType != $passedInMimeType) {
throw new CRM_Core_Exception("Supplied Mime Type does not match file Mime Type");
}
// Now that we have ensured that the mime-type matches to what we believe is the mime-type of the file
$mimeType = $passedInMimeType;
}
$buffer = file_get_contents($path);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment