This commit is contained in:
2026-05-28 21:15:47 +02:00
parent 420f58c85a
commit 6be580dc92
3 changed files with 24 additions and 5 deletions

View File

@@ -92,12 +92,19 @@ const parseMultipartFiles = (buffer, boundary) => {
}; };
/** /**
* Build the allowed MIME list for comment uploads (image/*, video/*, audio/*). * Build the allowed MIME list for comment uploads.
* Filters from cfg.mimes, excluding PDF, SWF, etc. * Respects cfg.websrv.fileupload_comments_mimes (e.g. ["image", "video", "audio"]) to
* allow a different set of categories than the global allowedMimes used for page uploads.
* Falls back to image/video/audio if the setting is absent.
*/ */
const getAllowedCommentMimes = () => { const getAllowedCommentMimes = () => {
const allowedCats = Array.isArray(cfg.websrv.fileupload_comments_mimes)
? cfg.websrv.fileupload_comments_mimes.map(c => c.toLowerCase())
: ['image', 'video', 'audio'];
return Object.keys(cfg.mimes).filter(mime => return Object.keys(cfg.mimes).filter(mime =>
mime.startsWith('image/') || mime.startsWith('video/') || mime.startsWith('audio/') allowedCats.some(cat =>
cat.includes('/') ? mime === cat : mime.startsWith(`${cat}/`)
)
); );
}; };

View File

@@ -1147,6 +1147,7 @@ process.on('uncaughtException', err => {
fileupload_comments_size: cfg.websrv.fileupload_comments_size || (10 * 1024 * 1024), fileupload_comments_size: cfg.websrv.fileupload_comments_size || (10 * 1024 * 1024),
fileupload_comments_max: cfg.websrv.fileupload_comments_max || 5, fileupload_comments_max: cfg.websrv.fileupload_comments_max || 5,
fileupload_comments_mode: cfg.websrv.fileupload_comments_mode || 'attachment', fileupload_comments_mode: cfg.websrv.fileupload_comments_mode || 'attachment',
fileupload_comments_mimes: Array.isArray(cfg.websrv.fileupload_comments_mimes) ? cfg.websrv.fileupload_comments_mimes : ['image', 'video', 'audio'],
get fonts() { get fonts() {
try { try {

View File

@@ -157,7 +157,18 @@ export const handleUpload = async (req, res, self) => {
} }
// Validate MIME type // Validate MIME type
const allowedMimes = Object.keys(cfg.mimes); // cfg.allowedMimes entries can be category prefixes ("image", "video", "audio")
// OR exact MIME types ("application/pdf"). Entries with "/" are matched exactly.
const allowedCats = Array.isArray(cfg.allowedMimes)
? cfg.allowedMimes.map(c => c.toLowerCase())
: null;
const allowedMimes = allowedCats
? Object.keys(cfg.mimes).filter(m =>
allowedCats.some(cat =>
cat.includes('/') ? m === cat : m.startsWith(`${cat}/`)
)
)
: Object.keys(cfg.mimes);
let mime = file.contentType; let mime = file.contentType;
if (!allowedMimes.includes(mime)) { if (!allowedMimes.includes(mime)) {
@@ -224,7 +235,7 @@ export const handleUpload = async (req, res, self) => {
// Save temporarily to detect actual MIME // Save temporarily to detect actual MIME
await fs.writeFile(tmpPath, file.data); await fs.writeFile(tmpPath, file.data);
// Verify MIME // Verify actual MIME (second check after file-command detection)
let actualMime = (await queue.spawn('file', ['--mime-type', '-b', tmpPath])).stdout.trim(); let actualMime = (await queue.spawn('file', ['--mime-type', '-b', tmpPath])).stdout.trim();
if (!allowedMimes.includes(actualMime)) { if (!allowedMimes.includes(actualMime)) {
await fs.unlink(tmpPath).catch(() => { }); await fs.unlink(tmpPath).catch(() => { });