FEAT #5459 better check of mime type

40c1877a · Florian Azizian · c0528718 · 40c1877a
Commit 40c1877a authored 7 years ago by Florian Azizian
--- a/core/Controllers/UserController.php
+++ b/core/Controllers/UserController.php
@@ -107,33 +107,37 @@ class UserController
    {
        $data = $request->getParams();
-        if (!$this->checkNeededParameters(['data' => $data, 'needed' => ['base64', 'name', 'type', 'size', 'label']])) {
+        if (!$this->checkNeededParameters(['data' => $data, 'needed' => ['base64', 'name', 'size', 'label']])) {
            return $response->withStatus(400)->withJson(['errors' => 'Bad Request']);
        }
-        $file = base64_decode($data['base64']);
+        $file    = base64_decode($data['base64']);
        $tmpName = 'tmp_file_' .$_SESSION['user']['UserId']. '_' .rand(). '_' .$data['name'];
+        $finfo    = new \finfo(FILEINFO_MIME_TYPE);
+        $mimeType = $finfo->buffer($file);
+        $type     = explode('/', $mimeType);
+        $ext      = strtoupper(substr($data['name'], strrpos($data['name'], '.') + 1));
        if (file_exists('custom/' .$_SESSION['custom_override_id']. '/apps/maarch_entreprise/xml/extensions.xml')) {
            $path = 'custom/' .$_SESSION['custom_override_id']. '/apps/maarch_entreprise/xml/extensions.xml';
        } else {
            $path = 'apps/maarch_entreprise/xml/extensions.xml';
        }
-        $xmlfile = simplexml_load_file($path);
+        $xmlfile  = simplexml_load_file($path);
-        $extensionTypes = [];
+        $fileAccepted = false;
        if (count($xmlfile->FORMAT) > 0) {
            foreach ($xmlfile->FORMAT as $value) {
-                $extensionTypes[(string) $value->name] = (string) $value->mime;
+                if(strtoupper($value->name) == $ext && strtoupper($value->mime) == strtoupper($mimeType)){
+                    $fileAccepted = true;
+                    break;
+                }
            }
        }
-        $ext = strtoupper(substr($data['name'], strrpos($data['name'], '.') + 1));
-        $finfo = new \finfo(FILEINFO_MIME_TYPE);
-        $mimeType = $finfo->buffer($file);
-        $type = explode('/', $mimeType);
-        if (empty($extensionTypes[$ext]) || $extensionTypes[$ext] != $mimeType || $type[0] != 'image') {
+        if (!$fileAccepted || $type[0] != 'image') {
            return $response->withJson(['errors' => _WRONG_FILE_TYPE]);
        } elseif ($data['size'] > 2000000){
            return $response->withJson(['errors' => _MAX_SIZE_UPLOAD_REACHED . ' (2 MB)']);