Limit carddav image export mime types #26459

Merged
merged 1 commit into from Oct 25, 2016

Projects

None yet

3 participants

@DeepDiver1975
Member
DeepDiver1975 commented Oct 24, 2016 edited

Description

Only jpeg, png and gif should be exported as vcard photos - in any other case application/octet-stream is used to disallow browsers to execute

Related Issue

https://nextcloud.com/security/advisory/?id=nc-sa-2016-011

How Has This Been Tested?

With mail and contacts app enabled where an email address of one sender matches a contact who has an image. Even if the mime type is changed in the db the avatar of the user is still display.
Use the inspector to verify that the content disposition is attachment and the content type is application/octet-stream

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.
@DeepDiver1975 DeepDiver1975 added this to the 9.2 milestone Oct 24, 2016
@mention-bot

@DeepDiver1975, thanks for your PR! By analyzing the history of the files in this pull request, we identified @georgehrke, @LukasReschke and @MorrisJobke to be potential reviewers.

+// 'vcard 3 with PHOTO URL' => [false, "BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 4.1.1//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;TYPE=JPEG;VALUE=URI:http://example.com/photo.jpg\r\nEND:VCARD\r\n"],
+// 'vcard 4 with PHOTO' => [['Content-Type' => 'image/jpeg', 'body' => '12345'], "BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 4.1.1//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO:data:image/jpeg;base64,MTIzNDU=\r\nEND:VCARD\r\n"],
+// 'vcard 4 with PHOTO URL' => [false, "BEGIN:VCARD\r\nVERSION:4.0\r\nPRODID:-//Sabre//Sabre VObject 4.1.1//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;MEDIATYPE=image/jpeg:http://example.org/photo.jpg\r\nEND:VCARD\r\n"],
+// 'vcard 3 with bad PHOTO' => [['Content-Type' => 'application/octet-stream', 'body' => '12345'], "BEGIN:VCARD\r\nVERSION:3.0\r\nPRODID:-//Sabre//Sabre VObject 4.1.1//EN\r\nUID:12345\r\nFN:12345\r\nN:12345;;;;\r\nPHOTO;ENCODING=b;TYPE=TXT:MTIzNDU=\r\nEND:VCARD\r\n"],
@PVince81
PVince81 Oct 24, 2016 Collaborator

what to do with these ? if they need to stay uncommented (instead of deleting), please add a comment above to say why

@PVince81
Collaborator

Code looks good, see comment

@DeepDiver1975 DeepDiver1975 Only jpeg, png and gif are allowed to be exported from vcards
c5b99a1
@DeepDiver1975
Member

Code looks good, see comment

is that a 👍

@PVince81 PVince81 merged commit 565c875 into master Oct 25, 2016

4 checks passed

Scrutinizer 1 updated code elements
Details
continuous-integration/jenkins/pr-head This commit looks good
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
licence/cla Contributor License Agreement is signed.
Details
@PVince81 PVince81 deleted the limit-carddav-image-export-mime-types branch Oct 25, 2016
@PVince81
Collaborator

It is now!

Please backport

@DeepDiver1975 DeepDiver1975 self-assigned this Oct 25, 2016
@DeepDiver1975 DeepDiver1975 added a commit that referenced this pull request Oct 25, 2016
@PVince81 @DeepDiver1975 PVince81 + DeepDiver1975 [stable9.1] Merge pull request #26459 from owncloud/limit-carddav-ima…
…ge-export-mime-types

Limit carddav image export mime types
6bf3be3
@PVince81
Collaborator

@DeepDiver1975 stable9 and further ?

@PVince81 PVince81 added a commit that referenced this pull request Oct 25, 2016
@PVince81 PVince81 [stable9.1] Merge pull request #26459 from owncloud/limit-carddav-ima…
…ge-export-mime-types

Limit carddav image export mime types
b5a5be2
@PVince81
Collaborator

stable9: #26484

@DeepDiver1975 DeepDiver1975 added a commit that referenced this pull request Oct 25, 2016
@PVince81 @DeepDiver1975 PVince81 + DeepDiver1975 [stable9.1] Merge pull request #26459 from owncloud/limit-carddav-ima…
…ge-export-mime-types (#26484)

Limit carddav image export mime types
6accf54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment