From 798453f342d29ab31004d9a4bb4b9b9144ca3503 Mon Sep 17 00:00:00 2001
From: Alan Hardman <alanaktion@gmail.com>
Date: Sat, 12 Mar 2022 12:06:31 -0700
Subject: [PATCH] Use local file type when serving attachments

This should prevent XSS issues when a malicious attachment is uploaded with a forged content-type header
---
 app/controller/files.php | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/app/controller/files.php b/app/controller/files.php
index 320bc854..71956e9a 100644
--- a/app/controller/files.php
+++ b/app/controller/files.php
@@ -240,21 +240,22 @@ public function file($f3, $params)
         }
 
         $force = true;
+        $type = mime_content_type($file->disk_filename);
         if (
-            substr($file->content_type, 0, 5) == "image" ||
-            $file->content_type == "text/plain" ||
-            $file->content_type == "application/pdf" ||
-            in_array($file->content_type, ['video/mp4', 'video/webm'])
+            substr($type, 0, 5) == "image" ||
+            $type == "text/plain" ||
+            $type == "application/pdf" ||
+            in_array($type, ['video/mp4', 'video/webm'])
         ) {
             $force = false;
         }
 
         // Force download of SVG images
-        if ($file->content_type == 'image/svg+xml') {
+        if ($type == 'image/svg+xml') {
             $force = true;
         }
 
-        if (!$this->_sendFile($file->disk_filename, $file->content_type, $file->filename, $force)) {
+        if (!$this->_sendFile($file->disk_filename, $type, $file->filename, $force)) {
             $f3->error(404);
         }
     }