diff --git a/package.json b/package.json index dca104b..da9e0cb 100644 --- a/package.json +++ b/package.json @@ -29,6 +29,7 @@ "kue": "^0.8.11", "language-tags": "~1.0.2", "mkdirp": "~ 0.3.1", + "mmmagic": "^0.3.13", "mongodb": "=1.4.28", "mongoose": "~3.8.5", "mpath": "~0.2.1", diff --git a/src/routes/image.js b/src/routes/image.js index 16faefc..111c9fb 100644 --- a/src/routes/image.js +++ b/src/routes/image.js @@ -3,6 +3,8 @@ var fs = require('fs-extra'); var mkdirp = require('mkdirp'); var path = require('path'); +var mmm = require('mmmagic'); +var magic = new mmm.Magic(mmm.MAGIC_MIME_TYPE); var transform = require('../transform'); module.exports = function(app) { @@ -139,17 +141,32 @@ module.exports = function(app) { } delete image.index; - doc.set('images', images); - // mongoose has trouble working out if mixed object arrays have changed - // so make sure it knows otherwise the changes aren't saved - doc.markModified('images'); - - doc.save(function(err, newDoc) { + /* Get the file's MIME type using libmagic */ + magic.detectFile(dest_path, function(err, mimeType) { if (err) { - return next(err); + return next(new Error("Finding the MIME type of the image failed")); } - return res.withBody(transform(newDoc, req)); + if (!/^image\//.test(mimeType)) { + return next(new Error( + "The uploaded image was of non-permitted type: " + mimeType + )); + } + + image.mime_type = mimeType; + + doc.set('images', images); + // mongoose has trouble working out if mixed object arrays have changed + // so make sure it knows otherwise the changes aren't saved + doc.markModified('images'); + + doc.save(function(err, newDoc) { + if (err) { + return next(err); + } + + return res.withBody(transform(newDoc, req)); + }); }); }); }