From 33ba87091d95f6cf23c89c76f3996e71c7528c6f Mon Sep 17 00:00:00 2001
From: Damien <damien.burel@maarch.org>
Date: Tue, 8 Oct 2019 16:59:09 +0200
Subject: [PATCH] FEAT #10490 TIME 0:25 Check extensions
---
src/app/resource/controllers/ResController.php | 7 +++++++
src/app/resource/controllers/StoreController.php | 2 +-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/app/resource/controllers/ResController.php b/src/app/resource/controllers/ResController.php
index 91361f82630..e6eba535335 100755
--- a/src/app/resource/controllers/ResController.php
+++ b/src/app/resource/controllers/ResController.php
@@ -74,6 +74,13 @@ class ResController
return $response->withStatus(400)->withJson(['errors' => 'Body category_id is empty or not a string']);
}
+ $file = base64_decode($body['encodedFile']);
+ $finfo = new \finfo(FILEINFO_MIME_TYPE);
+ $mimeType = $finfo->buffer($file);
+ if (!StoreController::isFileAllowed(['extension' => $body['format'], 'type' => $mimeType])) {
+ return $response->withStatus(400)->withJson(['errors' => _FILE_NOT_ALLOWED_INFO_1.' "'.$body['format'].'" '._FILE_NOT_ALLOWED_INFO_2.' "'. $mimeType. '" '._FILE_NOT_ALLOWED_INFO_3]);
+ }
+
$resId = StoreController::storeResource($body);
if (empty($resId) || !empty($resId['errors'])) {
return $response->withStatus(500)->withJson(['errors' => '[ResController create] ' . $resId['errors']]);
diff --git a/src/app/resource/controllers/StoreController.php b/src/app/resource/controllers/StoreController.php
index 539d45712d2..b89b043850b 100755
--- a/src/app/resource/controllers/StoreController.php
+++ b/src/app/resource/controllers/StoreController.php
@@ -40,7 +40,7 @@ class StoreController
unset($aArgs[$column]);
}
}
- $fileContent = base64_decode(str_replace(['-', '_'], ['+', '/'], $aArgs['encodedFile']));
+ $fileContent = base64_decode(str_replace(['-', '_'], ['+', '/'], $aArgs['encodedFile']));
$storeResult = DocserverController::storeResourceOnDocServer([
'collId' => 'letterbox_coll',
--
GitLab