diff options
Diffstat (limited to 'lib/classes')
| -rw-r--r-- | lib/classes/Avatar.class.php | 2 | ||||
| -rw-r--r-- | lib/classes/JsonApi/Routes/StockImages/StockImagesUpload.php | 9 | ||||
| -rw-r--r-- | lib/classes/Services/ImageValidator.php | 51 |
3 files changed, 60 insertions, 2 deletions
diff --git a/lib/classes/Avatar.class.php b/lib/classes/Avatar.class.php index 959523f..7178e1a 100644 --- a/lib/classes/Avatar.class.php +++ b/lib/classes/Avatar.class.php @@ -367,7 +367,7 @@ class Avatar $ext = mb_strtolower($pathinfo['extension']); // passende Endung ? - if (!in_array($ext, words('jpg jpeg gif png webp'))) { + if (!app(\Studip\Services\ImageValidator::class)->validateName($_FILES[$userfile]['name'])) { throw new Exception(sprintf( _('Der Dateityp der Bilddatei ist falsch (%s). Es sind nur die Dateiendungen .gif, .png, .jpeg, .jpg oder .webp erlaubt!'), $ext diff --git a/lib/classes/JsonApi/Routes/StockImages/StockImagesUpload.php b/lib/classes/JsonApi/Routes/StockImages/StockImagesUpload.php index b05b370..b09c3eb 100644 --- a/lib/classes/JsonApi/Routes/StockImages/StockImagesUpload.php +++ b/lib/classes/JsonApi/Routes/StockImages/StockImagesUpload.php @@ -9,6 +9,7 @@ use JsonApi\NonJsonApiController; use Psr\Http\Message\ResponseInterface as Response; use Psr\Http\Message\ServerRequestInterface as Request; use Slim\Psr7\UploadedFile; +use Studip\Services\ImageValidator; use Studip\StockImages\Scaler; use Studip\StockImages\PaletteCreator; @@ -115,8 +116,14 @@ class StockImagesUpload extends NonJsonApiController */ private function validate(UploadedFile $file) { + $validator = $this->container->get(ImageValidator::class); + $mimeType = $file->getClientMediaType(); - if (!in_array($mimeType, ['image/gif', 'image/jpeg', 'image/png', 'image/webp'])) { + $fileName = $file->getClientFilename(); + if ( + !$validator->validateMimeType($mimeType) + || !$validator->validateName($fileName) + ) { return 'Unsupported media type.'; } } diff --git a/lib/classes/Services/ImageValidator.php b/lib/classes/Services/ImageValidator.php new file mode 100644 index 0000000..c26377c --- /dev/null +++ b/lib/classes/Services/ImageValidator.php @@ -0,0 +1,51 @@ +<?php +namespace Studip\Services; + +final class ImageValidator +{ + public const VALID_EXTENSIONS = [ + 'gif', + 'jpeg', 'jpg', + 'png', + 'webp', + ]; + + public const VALID_MIMETYPES = [ + 'image/gif', + 'image/jpeg', + 'image/png', + 'image/webp', + ]; + + public function validate(string $filename): bool + { + return $this->validateName($filename) + && $this->validateMimeType(get_mime_type($filename)) + && $this->validateContents($filename); + } + + public function validateMimeType(string $mime_type): bool + { + return str_starts_with($mime_type, 'image/') + && in_array($mime_type, self::VALID_MIMETYPES); + } + + public function validateName(string $filename): bool + { + $extension = pathinfo($filename, PATHINFO_EXTENSION); + $extension = strtolower($extension); + return in_array($extension, self::VALID_EXTENSIONS); + } + + public function validateContents(string $filename): bool + { + $check = imagecreatefromstring(file_get_contents($filename)); + if ($check === false) { + return false; + } + + imagedestroy($check); + + return true; + } +} |