diff options
| author | André Noack <noack@data-quest.de> | 2023-12-21 14:32:21 +0000 |
|---|---|---|
| committer | Elmar Ludwig <elmar.ludwig@uni-osnabrueck.de> | 2023-12-21 14:32:21 +0000 |
| commit | d4deb791aa1c4f403eb0f89e14c003aa05e30abe (patch) | |
| tree | d8ece22aeff8f6417f6511b76b59ecee47b87a09 /app/controllers/studip_controller.php | |
| parent | 85f82a53edf169f342c11f1db4f457cfe264817f (diff) | |
Resolve "OER-Campus: File upload vulnerabilities"
Closes #3586 and #3587
Merge request studip/studip!2480
Diffstat (limited to 'app/controllers/studip_controller.php')
| -rw-r--r-- | app/controllers/studip_controller.php | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/app/controllers/studip_controller.php b/app/controllers/studip_controller.php index 1ddce67..7a4da54 100644 --- a/app/controllers/studip_controller.php +++ b/app/controllers/studip_controller.php @@ -504,8 +504,15 @@ abstract class StudipController extends Trails_Controller } if ($content_type === null) { - $finfo = finfo_open(FILEINFO_MIME_TYPE); - $content_type = finfo_file($finfo, $file); + $content_type = get_mime_type($filename ?: $file); + } + + if (!in_array($content_type, get_mime_types())) { + $content_type = 'application/octet-stream'; + } + + if ($content_type === 'application/octet-stream') { + $content_disposition = 'attachment'; } $this->set_content_type($content_type); |