From 75a448ef8ac74424cf4e723afeb6d05f9eed872f Mon Sep 17 00:00:00 2001 From: JiaJia Ji Date: Wed, 1 Feb 2023 07:32:58 +0100 Subject: [PATCH] [Task]: Mime type check on Profile Avatar upload (#14125) * Task: mime type check on avatar upload * Task: change to use getTypeFromMimeMapping * Task: add missing import --- .../AdminBundle/Controller/Admin/UserController.php | 11 +++++++++++ .../public/js/pimcore/settings/profile/panel.js | 3 +++ .../public/js/pimcore/settings/user/user/settings.js | 3 +++ 3 files changed, 17 insertions(+) diff --git a/bundles/AdminBundle/Controller/Admin/UserController.php b/bundles/AdminBundle/Controller/Admin/UserController.php index fc6dfb62559..ee709030091 100644 --- a/bundles/AdminBundle/Controller/Admin/UserController.php +++ b/bundles/AdminBundle/Controller/Admin/UserController.php @@ -21,12 +21,14 @@ use Pimcore\Bundle\AdminBundle\HttpFoundation\JsonResponse; use Pimcore\Controller\KernelControllerEventInterface; use Pimcore\Logger; +use Pimcore\Model\Asset; use Pimcore\Model\DataObject; use Pimcore\Model\Element; use Pimcore\Model\User; use Pimcore\Tool; use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Google\GoogleAuthenticatorInterface; use Symfony\Component\HttpFoundation\BinaryFileResponse; +use Symfony\Component\HttpFoundation\File\UploadedFile; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpFoundation\Session\Attribute\AttributeBagInterface; @@ -797,6 +799,15 @@ public function uploadImageAction(Request $request) throw $this->createAccessDeniedHttpException('Only admin users are allowed to modify admin users'); } + //Check if uploaded file is an image + $avatarFile = $request->files->get('Filedata'); + + $assetType = Asset::getTypeFromMimeMapping($avatarFile->getMimeType(), $avatarFile); + + if (!$avatarFile instanceof UploadedFile || $assetType !== 'image') { + throw new \Exception('Unsupported file format.'); + } + $userObj->setImage($_FILES['Filedata']['tmp_name']); // set content-type to text/html, otherwise (when application/json is sent) chrome will complain in diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/settings/profile/panel.js b/bundles/AdminBundle/Resources/public/js/pimcore/settings/profile/panel.js index 31f41d1457a..247c3f69d19 100644 --- a/bundles/AdminBundle/Resources/public/js/pimcore/settings/profile/panel.js +++ b/bundles/AdminBundle/Resources/public/js/pimcore/settings/profile/panel.js @@ -250,6 +250,9 @@ pimcore.settings.profile.panel = Class.create({ Ext.getCmp("pimcore_profile_delete_image_" + this.currentUser.id).setVisible(true); pimcore.helpers.reloadUserImage(this.currentUser.id); this.currentUser.hasImage = true; + }.bind(this), + function () { + Ext.MessageBox.alert(t('error'), t("unsupported_filetype")); }.bind(this) ); }.bind(this) diff --git a/bundles/AdminBundle/Resources/public/js/pimcore/settings/user/user/settings.js b/bundles/AdminBundle/Resources/public/js/pimcore/settings/user/user/settings.js index 7cff290a69d..56dacbba324 100644 --- a/bundles/AdminBundle/Resources/public/js/pimcore/settings/user/user/settings.js +++ b/bundles/AdminBundle/Resources/public/js/pimcore/settings/user/user/settings.js @@ -177,6 +177,9 @@ pimcore.settings.user.user.settings = Class.create({ Ext.getCmp("pimcore_user_delete_image_" + this.currentUser.id).setVisible(true); pimcore.helpers.reloadUserImage(this.currentUser.id); this.currentUser.hasImage = true; + }.bind(this), + function () { + Ext.MessageBox.alert(t('error'), t("unsupported_filetype")); }.bind(this) ); }.bind(this)