Base logic for CVE-2023-42458 on the media type proper (#1167)

* base inline/attachment logic for CVE-2023-42458 on the media type proper (ignoring parameters and whitespace) [skip ci] * update `CHANGES.rst`
zopefoundation · Sep 27, 2023 · 9b52f66 · 9b52f66
1 parent efadec2
commit 9b52f66
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 1 deletion.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -13,6 +13,11 @@ https://github.com/zopefoundation/Zope/blob/4.x/CHANGES.rst
 
 - Update to newest compatible versions of dependencies.
 
+- Base the inline/attachment logic developed for CVE-2023-42458
+  on the media type proper (ignore parameters and
+  whitespace and normalize to lowercase)
+  (`#1167 <https://github.com/zopefoundation/Zope/pull/1167>`_).
+
 
 5.8.5 (2023-09-21)
 ------------------

diff --git a/src/OFS/Image.py b/src/OFS/Image.py
@@ -474,7 +474,7 @@ def _range_request_handler(self, REQUEST, RESPONSE):
     def _should_force_download(self):
         # If this returns True, the caller should set a
         # Content-Disposition header with filename.
-        mimetype = self.content_type
+        mimetype = extract_media_type(self.content_type)
         if not mimetype:
             return False
         if self.use_denylist:
@@ -1170,3 +1170,18 @@ def __bytes__(self):
             _next = self.next
 
         return b''.join(r)
+
+
+def extract_media_type(content_type):
+    """extract the proper media type from *content_type*.
+
+    Ignore parameters and whitespace and normalize to lower case.
+    """
+    if not content_type:
+        return content_type
+    # ignore parameters
+    content_type = content_type.split(";", 1)[0]
+    # ignore whitespace
+    content_type = "".join(content_type.split())
+    # normalize to lowercase
+    return content_type.lower()
diff --git a/src/OFS/tests/testFileAndImage.py b/src/OFS/tests/testFileAndImage.py
@@ -433,6 +433,18 @@ def testViewImageOrFile_with_denylist(self):
             "attachment; filename*=UTF-8''file.svg",
         )
 
+    def testViewImageOrFile_with_denylist_and_ct_param(self):
+        request = self.app.REQUEST
+        response = request.RESPONSE
+        self.file.use_denylist = True
+        self.file.content_type += ";charset=utf-8"
+        result = self.file.index_html(request, response)
+        self.assertEqual(result, self.data)
+        self.assertEqual(
+            response.getHeader("Content-Disposition"),
+            "attachment; filename*=UTF-8''file.svg",
+        )
+
     def testViewImageOrFile_with_empty_denylist(self):
         request = self.app.REQUEST
         response = request.RESPONSE
@@ -442,6 +454,14 @@ def testViewImageOrFile_with_empty_denylist(self):
         self.assertEqual(result, self.data)
         self.assertIsNone(response.getHeader("Content-Disposition"))
 
+    def test_extract_media_type(self):
+        extract = OFS.Image.extract_media_type
+        self.assertIsNone(extract(None))
+        self.assertEqual(extract("text/plain"), "text/plain")
+        self.assertEqual(extract("TEXT/PLAIN"), "text/plain")
+        self.assertEqual(extract("text / plain"), "text/plain")
+        self.assertEqual(extract(" text/plain ; charset=utf-8"), "text/plain")
+
 
 class FileEditTests(Testing.ZopeTestCase.FunctionalTestCase):
     """Browser testing ..Image.File"""