Skip to content
Permalink
Browse files

Filter more mimetypes

There's no need to allow more than those defined mimetypes for images.
  • Loading branch information...
LukasReschke committed Sep 9, 2016
1 parent b9100da commit 68ab8325c799d20c1fb7e98d670785176590e7d0
Showing with 63 additions and 9 deletions.
  1. +12 −0 apps/dav/lib/CardDAV/ImageExportPlugin.php
  2. +51 −9 apps/dav/tests/unit/CardDAV/ImageExportPluginTest.php
@@ -87,6 +87,7 @@ function httpGet(RequestInterface $request, ResponseInterface $response) {
if ($result = $this->getPhoto($node)) {
$response->setHeader('Content-Type', $result['Content-Type']);
$response->setHeader('Content-Disposition', 'attachment');
$response->setStatus(200);
$response->setBody($result['body']);
@@ -121,6 +122,17 @@ function getPhoto(Card $node) {
}
$val = file_get_contents($val);
}
$allowedContentTypes = [
'image/png',
'image/jpeg',
'image/gif',
];
if(!in_array($type, $allowedContentTypes, true)) {
$type = 'application/octet-stream';
}
return [
'Content-Type' => $type,
'body' => $val
@@ -107,9 +107,20 @@ public function testCardWithOrWithoutPhoto($expected, $getPhotoResult) {
$this->plugin->expects($this->once())->method('getPhoto')->willReturn($getPhotoResult);
if (!$expected) {
$this->response->expects($this->once())->method('setHeader');
$this->response->expects($this->once())->method('setStatus');
$this->response->expects($this->once())->method('setBody');
$this->response
->expects($this->at(0))
->method('setHeader')
->with('Content-Type', $getPhotoResult['Content-Type']);
$this->response
->expects($this->at(1))
->method('setHeader')
->with('Content-Disposition', 'attachment');
$this->response
->expects($this->once())
->method('setStatus');
$this->response
->expects($this->once())
->method('setBody');
}
$result = $this->plugin->httpGet($this->request, $this->response);
@@ -142,12 +153,43 @@ public function testGetPhoto($expected, $cardData) {
public function providesPhotoData() {
return [
'empty vcard' => [false, ''],
'vcard without PHOTO' => [false, "BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nEND:VCARD\r\n"],
'vcard 3 with PHOTO' => [['Content-Type' => 'image/jpeg', 'body' => '12345'], "BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;ENCODING=b;TYPE=JPEG:MTIzNDU=\r\nEND:VCARD\r\n"],
'vcard 3 with PHOTO URL' => [false, "BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;TYPE=JPEG;VALUE=URI:http://example.com/photo.jpg\r\nEND:VCARD\r\n"],
'vcard 4 with PHOTO' => [['Content-Type' => 'image/jpeg', 'body' => '12345'], "BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO:data:image/jpeg;base64,MTIzNDU=\r\nEND:VCARD\r\n"],
'vcard 4 with PHOTO URL' => [false, "BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;MEDIATYPE=image/jpeg:http://example.org/photo.jpg\r\nEND:VCARD\r\n"],
'empty vcard' => [
false,
''
],
'vcard without PHOTO' => [
false,
"BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nEND:VCARD\r\n"
],
'vcard 3 with PHOTO' => [
[
'Content-Type' => 'image/jpeg',
'body' => '12345'
],
"BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;ENCODING=b;TYPE=JPEG:MTIzNDU=\r\nEND:VCARD\r\n"
],
'vcard 3 with PHOTO URL' => [
false,
"BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;TYPE=JPEG;VALUE=URI:http://example.com/photo.jpg\r\nEND:VCARD\r\n"
],
'vcard 4 with PHOTO' => [
[
'Content-Type' => 'image/jpeg',
'body' => '12345'
],
"BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO:data:image/jpeg;base64,MTIzNDU=\r\nEND:VCARD\r\n"
],
'vcard 4 with PHOTO URL' => [
false,
"BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;MEDIATYPE=image/jpeg:http://example.org/photo.jpg\r\nEND:VCARD\r\n"
],
'vcard 4 with PHOTO AND INVALID MIMEtYPE' => [
[
'Content-Type' => 'application/octet-stream',
'body' => '12345'
],
"BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 3.5.0//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO:data:image/svg;base64,MTIzNDU=\r\nEND:VCARD\r\n"
],
];
}
}

0 comments on commit 68ab832

Please sign in to comment.
You can’t perform that action at this time.